Re: iptables question

Lars von Wedel wrote:
> Hello,
>
> in the iptables tutorial (v 1.1.19 under I.4) I find two lines,
> the first one being
>
> $IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state \
> --state ESTABLISHED,RELATED -j ACCEPT
>
> and the other one
>
> $IPTABLES -A allowed -p TCP -m state \
> --state ESTABLISHED,RELATED -j ACCEPT
>
> To my understanding, the latter one is more specific than the former and
> since it should be evaluated further down the chains, it seems to be
> unnecessary!?

Well, in that second rule, there's no interface defined. So TCP packets
that come in via any other than $INET_IFACE will match this rule.

And, this is an user-created chain ("allowed"), so You should expect
a rule in the INPUT chain that redirects the handling of those packets
here.

But You are correct, if $INET_IFACE was defined in that second rule
above, no packet will ever match that rule because they are already
caught by the first one, thus making the second one redundant.


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...