You must be very conscious of the order in which you set rules in a chain because netfilter passes the TCP/IP packet through the rules in the order they are inserted into the kernel. If you want to insert a rule at the top of the list (that is, making it the first rule that is executed), you can use the - I (insert) parameter to iptables.
For example, if you are allowing SSH into your firewall from the Internet, but you know that you do not want a certain IP address to have access to SSH, you have to insert the REJECT/DROP rule before the general SSH rule:
iptables -A INPUT -p tcp -dport ssh -i eth0 j ACCEPT iptables -I INPUT -p tcp -dport ssh -i eth0 -s 10.32.1.4 -j DROP
In this example, using the -s option to specify a source IP address, we have inserted the DROP rule before the general SSH acceptance rule.
When a TCP/IP packet has been inserted into a chain, it is checked with each rule in turn. If one of the rules matches the TCP/IP packet, it is then sent to the target specified (ACCEPT, DROP, REJECT) immediately. In the case of our inserted SSH DROP rule, it fires off packets destined for the SSH port to the DROP target before it gets to the ACCEPT SSH rule.
In essence, all the TCP/IP packets sequentially go through every rule in the chain until they are directed to a target. If none of the rules fires off a packet to a target, that packet is dealt with by the default policy, which is to kill the packet in this case.
Was this article helpful?