Score:0

Server

Does iptables options order matters in a rule?

iTaMaR

2/18/23, 10:56 PM

Is there a difference when the options order is changed between this 3 rules?

iptables -A INPUT -p tcp --syn --dport 9000 -m set --match-set someSet src -j ACCEPT
iptables -A INPUT -m set --match-set someSet src --dport 9000 -p tcp --syn -j ACCEPT
iptables -A INPUT --dport 9000 -p tcp --syn -m set --match-set someSet src -j ACCEPT

Does the traversal follow the option order in the rules?

Take this rule for example:

iptables -A INPUT -p tcp --syn --dport 9000 -m set --match-set someSet src -j ACCEPT

Does it mean iptables look first for SYN then check if destination port equal 9000 and last look for a match in the set?

And on this example:

iptables -A INPUT -m set --match-set someSet src --dport 9000 -p tcp --syn -j ACCEPT

Does it mean iptables look first for a match in the set then check if destination port equal 9000 and last look up for SYN?

although they all give the same result when being accepted but they might be more optimised when being rejected if order is taking place in iptables options.

166

0 + 0

linux

ubuntu

firewall

iptables

Score:0

Server

NiKiZe

2/19/23, 7:05 AM

Order of options is for most part not relevant.

You could verify this by saving the rules , you should see that they all end up the same way.

Logical order would be: Protocol, port, state, module

0 + 0

iTaMaR

2/19/23, 10:23 AM

What if the set contains millions of ip's.. you can't expect the performance to be the same if the the traversal would start from the set matching and fall on the others

NiKiZe

2/19/23, 4:13 PM

Set is a module, expect it to be checked last. If you want to optimise it yourself use separate rules sending traffic to new chains which in turn does the next part of the match. But be warned that might not be a optimization at all.

iTaMaR

2/20/23, 12:53 AM

I know chain would do the trick but I'd rather add as least as possible rules, how can I determine the filter order in one rule?

Ginnungagap

2/22/23, 6:07 PM

@iTaMaR, you're likely seeking to optimize something inconsequential. Again, have you actually benchmarked anything before attempting overly complicated, brain racking optimizations? `ipset` is designed to handle large volumes of IPs and strives to make looking up an IP constant time no matter the number of IPs in the set so the operation should be fairly cheap.

iTaMaR

2/23/23, 10:37 AM

@Ginnungagap No algorithm for any kind of set can match comparing 16 bits with each other or matching `opcode`, there is no magic no matter how efficient it will be!!! And you know what, its for science reasons not benchmarking, all I asked was how does `iptables` filter `rules` and if order is taking place..

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Does iptables options order matters in a rule?

TH: คำสั่งซื้อตัวเลือก iptables มีความสำคัญในกฎหรือไม่?

RO: Opțiunile iptables ordonează problemele într-o regulă?

RU: Имеет ли значение порядок параметров iptables в правиле?

VI: Thứ tự tùy chọn iptables có quan trọng trong quy tắc không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.