Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iptables rules order #22

Open
pguimond opened this issue Mar 30, 2021 · 1 comment · May be fixed by #24
Open

iptables rules order #22

pguimond opened this issue Mar 30, 2021 · 1 comment · May be fixed by #24

Comments

@pguimond
Copy link

iptables -t filter -A INPUT -m set --match-set tallow src -j DROP

Does not apply when rules already exists as it insert at bottom.

iptables -I INPUT 1 -m set --match-set tallow src -j DROP

Fix the issue.
f00b4r0 added a commit to f00b4r0/tallow that referenced this issue Nov 13, 2022
@f00b4r0
Insert tallow rule in first position
7f2f23a 
The purpose of tallow is to ban specific hosts. This ban should be
enacted as early as possible in the firwall, which is not achieved by
using "iptables -A", which *appends* at the end of the chain.

This patch ensures that the tallow rule is *inserted* at the top of the
INPUT chain, also matching the behavior implemented for firewall-cmd.

Fixes: clearlinux#22 ("iptables rules order")
@f00b4r0 f00b4r0 linked a pull request Nov 13, 2022 that will close this issue
Open
@aversecat
Copy link

One of the reasons I never did this originally was that once we hard code rule numbers, they can and absolutely will conflict with other firewall tools. So this change might just break existing deployments.

I'm not super against this, but it will have to be a new cmdline option to switch the behavior in this new way, or a config option.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Insert tallow rule in first position f00b4r0/tallow
2 participants
@pguimond @aversecat