iptables negation: which parts does it affect?

Question

When I use negation in iptables, does it affect only the parameter after the "!", or does it also affect everything after it? For example, if I wants to allow only ip address 1.2.3.4 to perform only ssh and nothing else, I use

iptables -I INPUT ! -s 1.2.3.4 -dport 22 -j DROP

Does the "!" mean

(1) NOT ( ip-1.2.3.4 AND port-22 AND target-DROP), or
(2) (NOT ip-1.2.3.4) OR port-22 OR target-DROP, or
(3) NOT ( ip-1.2.3.4 AND port-22 ) OR target-DROP
(4) NOT ( ip-1.2.3.4 AND port-22 ) AND target-DROP
(n) ...

What I want it to mean is: drop every packet that is not (both 1.2.3.4 and port-22). Logically, not-both is equivalent to either-or-none. So, 1.2.3.4-port-80 satisfies (not(both 1.2.3.4 and port-22)), but I do not want 1.2.3.4 to connect to port 80.

How far down from "!" does the "!" affect? Do I need to add extra "!" like

iptables -I INPUT ! -s 1.2.3.4 ! -dport 22 -j DROP

Thank you for your help !

lisprog

score 1 · Answer 1 · answered Mar 01 '17 at 08:16

1

The negation affects only the parameter after the "!"

answered Mar 01 '17 at 08:16

gile

5,580
1
25
31

iptables negation: which parts does it affect?

1 Answers1