Order of rules - RELATED,ESTABLISHED
Posted: 25 Jun 2025, 12:06
Hi,
I have a few big subnets in my /etc/csf/csf.deny file, let's say for example something like this:
This will deny any traffic from that net, to the ports listed on my host. However I also experienced delivery issues to MX hosts in the blocked subnet (the connection times out), and I suspect it's because of the order of the iptables rule (replies from the MX is blocked by iptables). I may just be confused about how this works, so I was hoping that someone could help me clarify how this works, and if there's something I can do differently.
Here's an extract of the INPUT chain:
Should rule 15 be above rule 9? I'm assuming there's a good reason for it *not* being there, so any insights would be appreciated.
-Kristian
I have a few big subnets in my /etc/csf/csf.deny file, let's say for example something like this:
Code: Select all
tcp|in|d=22,25,80,443|s=1.0.0.0/8Here's an extract of the INPUT chain:
Code: Select all
# iptables -n -L -v --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
[1..8 - accepts for port 53]
9 6199K 7233M LOCALINPUT 0 -- !lo * 0.0.0.0/0 0.0.0.0/0
10 1912K 435M ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
11 6131K 7229M INVALID 6 -- !lo * 0.0.0.0/0 0.0.0.0/0
12 550 42598 ACCEPT 1 -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 10/sec burst 5
13 0 0 DROP 1 -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 8
14 92 11092 ACCEPT 1 -- !lo * 0.0.0.0/0 0.0.0.0/0
15 6078K 7225M ACCEPT 0 -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
[16..x]
-Kristian