This is a multi-part message in MIME format.
------=_NextPart_000_0107_01C398F6.82AC90F0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
First off, I know this is the LARTC list, but I've been living on this list=
for over a year now. :) Now with that said, I'm probably going to get flam=
ed for my question. :)
I've read that iptables is a first match wins system. My recent experience =
is showing that it is a last match wins. I understand that if a packet is m=
atched in prerouting chain, it may be matched again in a subsequent chain u=
nless the jump target was drop.
NOTE: I am not using iptables as a true firewall, much as most people on th=
is list do not. I'm primarily using iptables to mark packets and drop them =
for securing my network and to deny all traffic to my router except for a f=
ew exclusive port.s
The following is an excerpt from my router script on how I'm handling certa=
in traffic to my router and this works: (This example is a last match wins)
#Deny All Traffic to Interface except SSH and ICMP
$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j ACCEPT =
#CMTS Link
$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp -j DROP =
#CMTS Link
$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport ! 22=
-j DROP #CMTS Link
##Allow SNMP Calls Via MRTG To This Interface Only
$IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5=
-p udp --dport 161 -j ACCEPT
$IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5=
-p udp --dport 162 -j ACCEPT
This is how I was doing it and it worked: (This example is a first match wi=
ns)
(note: I was routing the fwmark 1 to blackhole)
##Allow SNMP Calls Via MRTG To This Interface Only
$IPTABLES -A PREROUTING -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.=
0.5 -p udp --dport 161 -j ACCEPT
$IPTABLES -A PREROUTING -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.=
0.5 -p udp --dport 162 -j ACCEPT
#Deny All Traffic to Interface except SSH and ICMP
$IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j ACCEP=
T #CMTS Link
$IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp -j MARK=
--set-mark 1 #CMTS Link
$IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport !=
22 -j MARK --set-mark 1 #CMTS Link
I just need someone to tell me when is iptables using first match wins vers=
us last match wins. I think I am missing something but I am not sure. I sta=
y so busy with other tasks that I cannot devote the time that I need and wo=
uld like to this. Anyway, many thanks in advance.
Walt Wyndroski
***************************************************************************=
*******************
* This message has been scanned by CityNET's email scanner for viruses and =
dangerous content *
* and is believed to be clean. CityNET is proud to use MailScanner. For m=
ore information *
* concerning MailScanner, visit http://www.mailscanner.info =
*
***************************************************************************=
*******************
------=_NextPart_000_0107_01C398F6.82AC90F0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html;
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1264" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>First off, I know this is the LARTC
list, =
but I've=20
been living on this list for over a year now. :) Now with that said, I'm=20
probably going to get flamed for my question. :)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I've read that iptables is a first
match w=
ins=20
system. My recent experience is showing that it is a last match wins. I=20
understand that if a packet is matched in prerouting chain, it may be match=
ed=20
again in a subsequent chain unless the jump target was
drop.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>NOTE: I am not using iptables as a
true fi=
rewall,=20
much as most people on this list do not. I'm primarily using iptables to ma=
rk=20
packets and drop them for securing my network and to deny all traffic to my=
=20
router except for a few exclusive port.s</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>The following is an excerpt from my
router=
script=20
on how I'm handling certain traffic to my router and this works: (This exam=
ple=20
is a last match wins)</DIV>
<DIV> </DIV>
<DIV>#Deny All Traffic to Interface except SSH and ICMP</DIV>
<DIV>$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j=20
ACCEPT &nb=
sp; =20
#CMTS Link</DIV>
<DIV>$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp
-j=20
DROP  =
; =20
#CMTS Link</DIV>
<DIV>$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p tcp
--dport=
! 22=20
-j DROP #CMTS Link</DIV>
<DIV> </DIV>
<DIV>##Allow SNMP Calls Via MRTG To This Interface Only<BR>$IPTABLES
-A FOR=
WARD=20
-i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5 -p udp --dport 161 -=
j=20
ACCEPT<BR>$IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226
--dst=
=20
172.20.0.5 -p udp --dport 162 -j ACCEPT<BR></DIV>
<DIV>This is how I was doing it and it worked: (This example is a
firs=
t=20
match wins)</DIV>
<DIV>
<DIV>
<DIV>(note: I was routing the fwmark 1 to blackhole)</DIV>
<DIV> </DIV>
<DIV>##Allow SNMP Calls Via MRTG To This Interface Only<BR>$IPTABLES
-A=20
PREROUTING -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5 -p udp --=
dport=20
161 -j ACCEPT<BR>$IPTABLES -A PREROUTING -i eth3 -t mangle --src
66.28.168.=
226=20
--dst 172.20.0.5 -p udp --dport 162 -j ACCEPT<BR></DIV></DIV>
<DIV>#Deny All Traffic to Interface except SSH and ICMP</DIV>
<DIV>$IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5
-p icm=
p -j=20
ACCEPT &nb=
sp; =
=20
#CMTS Link</DIV>
<DIV>$IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p !
tcp=20
-j MARK --set-mark=20
1 &n=
bsp; =20
#CMTS Link</DIV>
<DIV>$IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p tcp
--dp=
ort !=20
22 -j MARK --set-mark 1 #CMTS Link</DIV>
<DIV> </DIV>
<DIV>I just need someone to tell me when is iptables using first match
wins=
=20
versus last match wins. I think I am missing something but I am not sure. I=
stay=20
so busy with other tasks that I cannot devote the time that I need and woul=
d=20
like to this. Anyway, many thanks in advance.</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Walt
Wyndroski</DIV></DIV></FONT></BODY><br>
<br>
<table border=3D"1" cellpadding=3D"0"
cellspacing=3D"0" width=3D"100%" bord=
ercolor=3D"#800000">
<tr>
<td width=3D"100%">
<p align=3D"center"> This message has been
scanned by CityNET's =
email scanner for viruses and dangerous content <br>
and is believed to be clean. CityNET is proud to use MailScann=
er. For more information <br>
concerning MailScanner, visit
http://www.mailscanner.info</td>
</tr>
</table>
</HTML>
------=_NextPart_000_0107_01C398F6.82AC90F0--