--Sport option does not work

Question

For example, I get a lot of UDP calls:

I need to block all connections that are NOT initiated by the client from port 27005.

I think this code should work:

iptables -A INPUT -p udp --sport :27004 -j REJECT iptables -A INPUT -p udp --sport 27006: -j REJECT iptables -A INPUT -p udp --sport 27005 -j ACCEPT

But it does not work.

What could be the problem?

2. you add netfilter rules to the end of the filter table.
if the filter table already has rules that allow acceptance of packets that you are trying to reject , it makes sense not to add new rules ( -A ) to the end of the table, but to insert them into the beginning ( -I ).
The file looks like this #!/bin/bash PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin export DISPLAY=:0.0 iptables -I INPUT -s 31.204.100.0/22 -j REJECT iptables -A INPUT -p udp --sport :27004 -j REJECT iptables -A INPUT -p udp --sport 27006: -j REJECT iptables -A INPUT -p udp --sport 27005 -j ACCEPT iptables -I INPUT -s 95.213.195.1 -j ACCEPT
This screenshot was taken after the commands iptables -A INPUT -p udp --sport: 27004 -j REJECT iptables -A INPUT -p udp --sport 27006: -j REJECT iptables -A INPUT -p udp --sport 27005 -j ACCEPT The TCP did not have to show these lines, as far as I understand, but showed
The file above (bash script) is started by the crown at the start of the system.

Igor Chubin Igor Chubin 2,968 7 sixteen · Accepted Answer · 2016-08-17T13:21:50

Two things:

Use -I instead of -A , then you guarantee that the rule is added to the beginning of the chain, and nothing prevents it.
Control the health of the chain with the -j LOG rule at the end, rather than with tcpdump .

tcpdump cannot, in principle, show what iptables does, because it works on the interface (between the link and the network layer), and the traffic starts being processed by iptables / netfilter later.

Otherwise, you have everything right.

--Sport option does not work

1 answer 1

More articles: