Order of rules - RELATED,ESTABLISHED

kristian · Post by **kristian** » 25 Jun 2025, 12:06

Hi,

I have a few big subnets in my /etc/csf/csf.deny file, let's say for example something like this:

tcp|in|d=22,25,80,443|s=1.0.0.0/8

This will deny any traffic from that net, to the ports listed on my host. However I also experienced delivery issues to MX hosts in the blocked subnet (the connection times out), and I suspect it's because of the order of the iptables rule (replies from the MX is blocked by iptables). I may just be confused about how this works, so I was hoping that someone could help me clarify how this works, and if there's something I can do differently.

Here's an extract of the INPUT chain:

Code: Select all

# iptables -n -L -v --line-numbers 
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
[1..8 - accepts for port 53]
9    6199K 7233M LOCALINPUT 0    --  !lo    *       0.0.0.0/0            0.0.0.0/0 
10   1912K  435M ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0
11   6131K 7229M INVALID    6    --  !lo    *       0.0.0.0/0            0.0.0.0/0
12     550 42598 ACCEPT     1    --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 10/sec burst 5
13       0     0 DROP       1    --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 8
14      92 11092 ACCEPT     1    --  !lo    *       0.0.0.0/0            0.0.0.0/0
15   6078K 7225M ACCEPT     0    --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
[16..x]

Should rule 15 be above rule 9? I'm assuming there's a good reason for it *not* being there, so any insights would be appreciated.

-Kristian