2

I`ve two rules. First blocked all port from range:

-A INPUT -m state --state NEW -m tcp -p tcp --match multiport --dports 200:65535 -j DROP

and second open one in this range:

-A INPUT -i eth0 -p tcp --dport 5901 -m state --state NEW,ESTABLISHED -j ACCEPT

but it doesn`t work. Anyone know why?

shearn89
  • 3,403
  • 2
  • 15
  • 39
lolcio
  • 121
  • 2

1 Answers1

6

IIRC iptables rules are order dependent: if the first rule matches, it won't parse any more. Reverse the order and you should achieve what you're trying to do.

Extension: it is not always so, some rules (f.e. -j LOG) allows the packet processing to go further. But the common ACCEPT, REJECT, etc. rules aren't. Best if you see iptables as if it were a procedural programming language: rules are tried-to-match and executed in always linearly, in order.

peterh
  • 4,953
  • 13
  • 30
  • 44
shearn89
  • 3,403
  • 2
  • 15
  • 39
  • yes as @shearn89 told, iptables evaluate the rules from top – c4f4t0r Jan 22 '15 at 10:49
  • This is indeed how it works. If you see it as a procedural language, then custom chains are procedures/functions, which you can call from other rules. There even is a `RETURN` target which you can use to return from a procedure to where it was called from. – kasperd Jan 22 '15 at 11:14