I've been having some trouble with a firewall blocking traffic between two servers recently and want to check how iptables handles multiple rules applying to the same IP. If I run iptables -L -n | grep 1.2.3.4 I see this output:
ACCEPT all -- 1.2.3.4 0.0.0.0/0
DROP all -- 1.2.3.4 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 1.2.3.4
DROP all -- 0.0.0.0/0 1.2.3.4
How will iptables process these rules? Will all traffic from 1.2.3.4 be dropped?
running
iptables -L -ndoes not give you the interface names the rules might have defined as conditions. Rules that look alike with different targets are probably conditioned for different interfaces unless they have been written a) in a hurry b) by an absent-minded admin c) as a temporary workaround for something or d) all of the aboveUse
iptables -L -v -ninstead.To answer your question: the packet fate is decided by the first matching rule with a terminal target (ACCEPT and DROP are such targets, but there are others like RETURN which are not terminal so the processing goes on). If there is no such rule, the chain default policy applies which is
ACCEPTby default and can be changed viaiptables -P <ACCEPT, DROP>.See this rather good workflow document for details.
Hard to say since you're not displaying for which chains these rules apply.
Easily said: For a firewall you've got to start with the FORWARD chain and follow all rules that match in sequence until you hit an ACCEPT, DROP or REJECT
If you reach the end of all rules this way, the FORWARD's default policy applies.
My personal favorite of understanding iptables rulesets is the command
iptables-save, which dump all rules to stdout. This helps to get the idea of the right order of rules.A full picture of packet traversal in iptables is here: http://www.frozentux.net/iptables-tutorial/images/tables_traverse.jpg