Yes I see that. But what I am concerned with is the two snmp rules that
follow those. If I put the snmp rules ahead, they don''t match. If I put
them
after, then they do match. I pasted the rules again to make it easier to
see.
#Deny All Traffic to Interface except SSH and ICMP
$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j ACCEPT
#CMTS Link
$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp -j DROP
#CMTS Link
$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport !
22 -j DROP #CMTS Link
##Allow SNMP Calls Via MRTG To This Interface Only
$IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst
172.20.0.5 -p udp --dport 161 -j ACCEPT
$IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst
172.20.0.5 -p udp --dport 162 -j ACCEPT
Walt Wyndroski
----- Original Message -----
From: "Robert Kurjata" <rkurjata@ire.pw.edu.pl>
To: "Walter D. Wyndroski" <wdwrn@friendlycity.net>
Sent: Thursday, October 23, 2003 3:25 AM
Subject: Re: [LARTC] iptables question
> Witaj Walter,
>
> W Twoim liście datowanym 23 października 2003 (05:45:01) można przeczytać:
>
> WDW> First off, I know this is the LARTC list, but I''ve
> WDW> been living on this list for over a year now. :) Now with that
said,
I''m> WDW> probably going to get flamed for my question. :)
>
> No flames, but direct answer :)
>
> WDW>
>
> WDW> I''ve read that iptables is a first match wins
> WDW> system. My recent experience is showing that it is a last match
wins.
I> WDW> understand that if a packet is matched in prerouting chain, it may
be
matched> WDW> again in a subsequent chain unless the jump target was drop.
>
> I think you should consider it like First Matched Wins :) so It''s
> working fine. I don''t see why you''re saying that first
example is last
> match wins. It just depends on packet:
>
> (lets see the example where only first three lines are in the script)
>
> icmp - first matched and accepted
> not tcp - (udp) - matched and droped
> tcp dst port other than 22 - matched and dropped
>
> tcp dst port 22 matched by default chain policy (dropped or accepted)
>
>
>
>
> WDW>
> WDW> NOTE: I am not using iptables as a true firewall,
> WDW> much as most people on this list do not. I''m primarily
using iptables
to mark> WDW> packets and drop them for securing my network and to deny all
traffic
to my> WDW> router except for a few exclusive port.s
> WDW> The following is an excerpt from my router script
> WDW> on how I''m handling certain traffic to my router and this
works:
(This example> WDW> is a last match wins)
> WDW> #Deny All Traffic to Interface except SSH and ICMP
> WDW> $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j
> WDW> ACCEPT
> WDW> #CMTS Link
> WDW> $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp -j
> WDW> DROP
> WDW> #CMTS Link
> WDW> $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p
tcp --dport ! 22> WDW> -j DROP #CMTS Link
> WDW> ##Allow SNMP Calls Via MRTG To This Interface Only
> WDW> $IPTABLES -A FORWARD
> WDW> -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5 -p udp
--dport
161 -j> WDW> ACCEPT
> WDW> $IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst
> WDW> 172.20.0.5 -p udp --dport 162 -j ACCEPT
> WDW> This is how I was doing it and it worked: (This example is a first
> WDW> match wins)
> WDW> (note: I was routing the fwmark 1 to blackhole)
> WDW> ##Allow SNMP Calls Via MRTG To This Interface Only
> WDW> $IPTABLES -A
> WDW> PREROUTING -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5
-p
udp --dport> WDW> 161 -j ACCEPT
> WDW> $IPTABLES -A PREROUTING -i eth3 -t mangle --src 66.28.168.226
> WDW> --dst 172.20.0.5 -p udp --dport 162 -j ACCEPT
> WDW> #Deny All Traffic to Interface except SSH and ICMP
> WDW> $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p icmp
-j
> WDW> ACCEPT
> WDW> #CMTS Link
> WDW> $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp
> WDW> -j MARK --set-mark
> WDW> 1
> WDW> #CMTS Link
> WDW> $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p
tcp --dport !> WDW> 22 -j MARK --set-mark 1 #CMTS Link
>
> WDW>
>
> WDW> I just need someone to tell me when is iptables using first match
wins> WDW> versus last match wins. I think I am missing something but I am not
sure. I stay> WDW> so busy with other tasks that I cannot devote the time that I need
and would> WDW> like to this. Anyway, many thanks in advance.
>
> WDW>
>
> WDW>
>
> WDW> Walt Wyndroski
>
>
>
>
>
>
>
> WDW> This message has been scanned by CityNET''s email
> WDW> scanner for viruses and dangerous content
> WDW> and is believed to be clean. CityNET is proud to use
> WDW> MailScanner. For more information
> WDW> concerning MailScanner, visit http://www.mailscanner.info
>
>
>
>
>
> --
> Pozdrowienia,
> Robert mailto:rkurjata@ire.pw.edu.pl
>
>
>
****************************************************************************
******************> * This message has been scanned by CityNET''s email scanner for
viruses and
dangerous content *> * and is believed to be clean. CityNET is proud to use MailScanner. For
more information *> * concerning MailScanner, visit http://www.mailscanner.info
*>
****************************************************************************
******************>
>
**********************************************************************************************
* This message has been scanned by CityNET''s email scanner for viruses
and dangerous content *
* and is believed to be clean. CityNET is proud to use MailScanner. For more
information *
* concerning MailScanner, visit http://www.mailscanner.info
*
**********************************************************************************************
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/