Join Log in
Score:0
avatar Server

Does iptables apply all rules in order when an incoming connection is received?

tr flag
Max

I'm using iptables and fail2ban to secure server connections. Currently I have connections filtered via a router passing only ports for email and webserver access and fail2ban adding restrictions based on login failure attempts.

I'm trying to understand how iptables iterates through rules. From my understanding, it goes line by line until the incoming connection fails a rule. Is that correct?

For example:

  1. At the top of the list of rules should be the incoming connection rules for the webserver and email server.

  2. Then the following rule should be a drop rule to block all other ports.

  3. Then finally the entries from fail2ban would block connections that failed the required number of login attempts.

Is that understanding correct?

EDIT: After a little additional reading, it seems like this would be the better approach, right?

# Set the default policy of the INPUT chain to DROP
iptables -P INPUT DROP

# Accept incomming TCP connections from eth0 on port 80 and 443
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 465 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 993 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
THEN THE FAIL2BAN RULES HERE?
50
1 + 0
Score:0
Nikita Kipriyanov avatar Server
za flag
Nikita Kipriyanov

Packet processing finishes (in this chain) not "when packet fails a rule" (whatever this could mean), but "when packet matches a rule that defines a final action". ACCEPT, DROP, REJECT, DNAT, SNAT — all of these are final actions. So if packet matches some ACCEPT rule, the rule following it (in the same chain) won't be checked, even if packet would have match it.

Therefore, "more specific" rules that deny access from certain IPs must be on top, to be able to override the "wildcard" rules that permit access to services from any IP. They will match first and their (final) action will be DROP or REJECT, so access will not be granted by following ACCEPT rule that would have been matched too.

Fail2ban will create its own chains (a dedicated chain for each jail) and insert rules that redirect processing to these chains in an appropriate place (at the top of the filter INPUT). You shouldn't bother about that.

+ 1
tr flag
Max
Thanks Nikita. That clarifies the flow for me.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.