Ping a Specific Port

Question

tomsk

Asked: 2018-04-17 10:40:45 +0800 CST2018-04-17 10:40:45 +0800 CST 2018-04-17 10:40:45 +0800 CST

Skipping rules in iptables

772

Imagine that I have 3 rules in iptables:

Check if IP is whitelisted in ipset, then accept it.
Check if user tries connect to port 22, then drop it.
Check if user tries connect to port 80, then accept it.

This is example (not real) of rules:

iptables -A INPUT -m set --match-set whitelist src -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j DROP

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

But I would like to do that if user is whitelisted (1st rule), then don't accept it, but skip/redirect it to 3rd rule (skip 2nd rule), like on this picture (I know that if packet is ACCEPTED then it is done, this is only example, I don't know how to make that jump):

So I would like to ask you, how can I set this "skipping" in chain.

Subquestion: If it is possible, then is it possible to redirect it to another chain to specific rule too?

Update: Real scenario

iptables -A INPUT -m set --match-set whitelist src -j ACCEPT

iptables -A INPUT -m geoip --src-cc DE -j DROP

... other rules ...

As you can see, I whitelisted only Germany, if German's IP pass throught second rule, then I will check it for other rules, but I use whitelisted IPs too.

So if some IP is whitelisted (mostly not German) then I don't want to check if it is German IP (because it would fail) instead that IP should jump into other rules (3rd row) and skip country checking.

What about go to function?

2 Answers

Voted

A.B · Answer 1 · 2018-04-17T14:35:38+08:00

A custom chain can be used to organize things more easily. There's a an other "terminal" target more useful once in a custom chain: RETURN to immediately come back and execute the rule after the calling rule. RETURN in the base chain just applies the default policy, so is not so much used.

The asked example becomes:

iptables -N whitelist-check
iptables -A whitelist-check -m set --match-set whitelist src -j RETURN
iptables -A whitelist-check -p tcp --dport 22 -j DROP
iptables -A INPUT -j whitelist-check
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Sometimes inverting logic and grouping can work too. For this simple case an equivalent method would have simply been:

iptables -A INPUT -p tcp -m set ! --match-set whitelist src --dport 22 -j DROP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

For the updated scenario: drop everything which is not whitelisted nor from DE (nor ...). For additional exceptions, just add more rules ending with -j RETURN before the -j DROP

Update 2: changed the logic with DE since OP changed it too... if, as per OP's change, traffic is dropped for Germany, here, traffic continues for non-Germany.

iptables -N filterchain
iptables -A filterchain -m set --match-set whitelist src -j RETURN
iptables -A filterchain -m geoip ! --src-cc DE -j RETURN
...
iptables -A filterchain -j DROP

iptables -A INPUT -j filterchain
... other rules ...

Ben Franske · Answer 2 · 2018-04-17T14:04:59+08:00

Ben Franske

2018-04-17T14:04:59+08:002018-04-17T14:04:59+08:00

As far as I know you cannot skip rules within a chain. You absolutely can "jump" to another chain if a rule is matched though. For example, iptables -A INPUT -p tcp -j tcp_packet_chain will match all TCP packets and jump them into the "tcp_packet_chain". It is important to note though that if the packet is not ACCEPTed or DENYed in the chain you will return back to the next rule in the original chain.

1

Skipping rules in iptables

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?