1

https://serverfault.com/questions/247176/iptables-only-allow-localhost-access#comment224878_247180

iptables -A INPUT -p tcp -s localhost --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j DROP

"Anything coming from localhost to port 25, accept" and the second rule says "Drop anything coming into port 25". The first line is processed first, allowing localhost, and anything else will get dropped by the second line.

The second rule seems to cover the case of the first rule. So why doesn't the second rule override the first rule?

How do rules with overlap coverage work together in general?

Thanks.

Improve this question

1 Answer 1

Reset to default
2

The answer is in the quote:

The first line is processed first

Rules are processed in-order, and a rule which accepts or drops a packet terminates the chain for that packet. “Overlap” doesn’t matter, only the order of rules does.

Improve this answer
3
  • Thanks. Some commands seem to have the later-override-former model for overlapping rules, while some commands the first-win-over-latter model for overlapping rules . If I may ask, what kinds of commands are likely to use which model? Do you know any other models for resolving overlapping rules? Commented Mar 17, 2019 at 11:30
  • There’s no general rule. Models I can think of are “first match wins”, “last match wins”, “most specific wins”, I suppose one could imagine “least specific wins”; I don’t have examples off-hand for any of them. Commented Mar 17, 2019 at 13:23
  • Indeed, reading the man pages is one of the best ways. man iptables says "A firewall rule specifies criteria for a packet and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values ... If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet. " Commented Mar 17, 2019 at 19:53

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.