iptables deny taking precedence over accept



  • I am trying to set rules in iptables . I script the rules all set to accept, however when I apply a rule to deny as default. The accept rules no longer work.

    How can I set priority to make sure accept rules are processed before deny?



  • They should execute in order, make sure the deny is below the accept rule.



  • IPT="/sbin/iptables"
    
    # IP Ranges
    somenetwork_1="172.34.344.0/24"
    somenetwork_2="172.11.44.0/24"
    anothernetwork_1="172.189.33.0/24"
    anothernetwork_2="172.189.133.0/24"
    yetanothernetwork_1="172.51.222.0/24"
    yetanothernetwork_2="172.11.222.0/24"
    funnetwork_1="172.54.222.0/24"
    funnetwork_2="172.112.222.0/24"
    vpn="10.2.31.0/24"
    public="0.0.0.0/0"
    
    echo "flushing iptables rules"
    $IPT -F
    $IPT -X
    $IPT -t nat -F
    $IPT -t nat -X
    $IPT -t mangle -F
    $IPT -t mangle -X
    
    echo "allow all and everything on localhost"
    $IPT -A INPUT -i lo -j ACCEPT
    $IPT -A OUTPUT -o lo -j ACCEPT
    $IPT -A INPUT -s 127.0.0.0/8 -j DROP
    
    
    
    #Port Range 11122
    $IPT --append INPUT --match udp --protocol udp --src $somenetwork_1 --sport 11122 --jump ACCEPT
    $IPT --append INPUT --match udp --protocol udp --src $somenetwork_2 --sport 11122 --jump ACCEPT
    $IPT --append INPUT --match udp --protocol udp --src $yetanothernetwork_2 --sport 11122 --jump ACCEPT
    $IPT --append INPUT --match udp --protocol udp --src $yetanothernetwork_1 --sport 11122 --jump ACCEPT
    $IPT --append INPUT --match udp --protocol udp --src $anothernetwork_2 --sport 11122 --jump ACCEPT
    $IPT --append INPUT --match udp --protocol udp --src $anothernetwork_1 --sport 11122 --jump ACCEPT
    $IPT --append INPUT --match udp --protocol udp --src $funnetwork_2 --sport 11122 --jump ACCEPT
    $IPT --append INPUT --match udp --protocol udp --src $funnetwork_1 --sport 11122 --jump ACCEPT
    $IPT --append INPUT --match udp --protocol udp --src $vpn --sport 11122 --jump ACCEPT
    
    #Port Range 95000
    $IPT --append INPUT --match tcp --protocol tcp --src $somenetwork_1 --sport 95000 --jump ACCEPT
    $IPT --append INPUT --match tcp --protocol tcp --src $somenetwork_2 --sport 95000 --jump ACCEPT
    
    # SSH traffic
    $IPT -A INPUT --match tcp --protocol tcp --src $somenetwork_1 --sport 22 --jump ACCEPT
    
    #Default SSH Rule
    $IPT -A INPUT --match tcp --protocol tcp --src $vpn --sport 22 --jump ACCEPT
    
    
    echo "Ensuring iptables is enable + saving configuration"
    sudo iptables-save
    
    
    echo "Set default policy to 'DROP'"
    $IPT -P INPUT   DROP
    $IPT -P FORWARD DROP
    $IPT -P OUTPUT  ACCEPT
    
    
    echo "Ensuring iptables is enable + saving configuration"
    sudo iptables-save
    
    
    exit 0
    


  • I changed IPs and variables names to something random for obvious reasons, but that is cutting connection at the end even though I have explicit allow with ssh connection.



  • That looks out of order. I never use IPT, but doesn't that append the new stuff at the top, not the bottom? So by having the DENY come last, it goes to the top?



  • @IRJ said in iptables deny taking precedence over accept:

    #Port Range 95000
    $IPT --append INPUT --match tcp --protocol tcp --src $somenetwork_1 --sport 95000 --jump ACCEPT
    $IPT --append INPUT --match tcp --protocol tcp --src $somenetwork_2 --sport 95000 --jump ACCEPT

    I'm assuming this is not support to be a correct number... but --sport can't be > 65536.



  • @dafyre said in iptables deny taking precedence over accept:

    @IRJ said in iptables deny taking precedence over accept:

    #Port Range 95000
    $IPT --append INPUT --match tcp --protocol tcp --src $somenetwork_1 --sport 95000 --jump ACCEPT
    $IPT --append INPUT --match tcp --protocol tcp --src $somenetwork_2 --sport 95000 --jump ACCEPT

    I'm assuming this is not support to be a correct number... but --sport can't be > 65536.

    Yeah I just randomized port numbers. Not actually using that


Log in to reply