Iptables ACCEPT and DROP

Antony Stone netfilter@lists.netfilter.org
Fri, 16 Apr 2004 19:08:26 +0100


On Friday 16 April 2004 6:56 pm, Ravi Verma wrote:

> The following command will allows the machine to connect to
> 216.155.193.168.
>
> iptables -A OUTPUT -o eth0 -p tcp -d 216.155.193.168 --dport 5050 -j
> ACCEPT
>
> Now when I issue
> iptables -A OUTPUT -o eth0 -p tcp -d 216.155.193.168 --dport 5050 -j
> DROP
>
> And
>
> iptables -A OUTPUT -o eth0 -p tcp -d 216.155.193.168 --dport
> 5050 -j REJECT
>
> Still, it allows connection to 216.155.193.168 on port 5050.
>
> How does this work? It seems -j DROP is not opposite of -j ACCEPT. How
> can stop this?

"-A" means append - in other words, "add on to the end of my ruleset".

You have not said that you have flushed the OUTPUT chain (with "iptables -F 
OUTPUT") between adding the ACCEPT rule and applying more rules after it, so 
I think you still have the ACCEPT rule in your chain, and that is the first 
one the packets see.

Try "iptables -L OUTPUT -nvx" and see what rules you have, and in what order.

Regards,

Antony.

-- 
"Black holes are where God divided by zero."

 - Steven Wright

                                                     Please reply to the list;
                                                           please don't CC me.