[ale] iptables caching?
    JK 
    jknapka at kneuro.net
       
    Thu Dec  4 13:10:44 EST 2008
    
    
  
Robert L. Harris wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> I have the following rules in my iptables script:
> 
>   $IPTABLES -A Allow --proto tcp --destination-port 25 -j ACCEPT
>   $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 25 -j DNAT
> - --to 10.1.1.34:25
> 
>   $IPTABLES -A Allow --proto tcp --destination-port 80 -j ACCEPT
>   $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 80 -j DNAT
> - --to 10.1.1.32:80
> 
> I had a typo originally that sent dport 80 to 10.1.1.32:25 which I
> fixed.  I have verified
> there are no other rules for port 80 but it is still sending anything
> that hits port 80 to
> 10.1.1.32:25.  The first 2 rules are working fine though.
> 
> any ideas?
The "-A" means "*A*ppend this rule to the end of the chain", where it
will be looked at *last*.  So unless you flush (iptables -F <chain>)
and then re-establish all the rules in the chain, the old rule will
take precedence.  If you want to put a rule at the *front* of the
chain, use "-I", not "-A".
-- JK
-- 
I do not particularly want to go where the money is -
  it usually does not smell nice there. -- A. Stepanov
    
    
More information about the Ale
mailing list