1

I am restricting the traffic to specific port number using the below firewall rule.

   /sbin/iptables -A INPUT -p tcp --destination-port <port_num> -j DROP

After sometime i want to allow traffic, so adding the below firewall rule.

   /sbin/iptables -A INPUT -p tcp --destination-port <port_num> -j ACCEPT

Is it correct or i have to delete the first rule before adding the second. if i dont delete the first rule,both rules are present in the INPUT chain. so which one is considered ? This is in CentOS7, Looking forward for your advise.

Chris Davies
  • 116,213
  • 16
  • 160
  • 287
Vishwas
  • 33

1 Answers1

3

The -A flag appends to the set of rules. Using -I inserts a rule either at the beginning of the chain or at the numbered position. Rules are processed in order, so the first rule you added will be processed first and the second will never be actioned.

You can see the full set of rules for your INPUT chain with iptables -nvL INPUT.

Since you're on CentOS you might want to use its standard firewall tool, firewalld instead of the low-level iptables.

Also see iptables and RETURN target for an explanation of rules that terminate a chain and those that don't.

Chris Davies
  • 116,213
  • 16
  • 160
  • 287
  • 1
    But some targets, e.g. LOG in particular will not terminate processing of the rules. ACCEPT, DROP, REJECT of course will. – ilkkachu Jun 25 '20 at 07:36
  • Thanks for the answer, so the ACCEPT wont take effect because DROP is added prior. if i want ACCEPT rule to take effect, should i delete DROP rule first and add ACCEPT rule ? or should i add these rules with -I instead of -A flag so that whichever the latest rule added will take effect. – Vishwas Jun 25 '20 at 08:25