Learn More
Resend Email
13
Aldar
5y

GOD DAMN THE STUPID IPTABLES, aaaaah!

Today I learned that
iptables -I INPUT -i !lo -j DROP
and
iptables -I INPUT ! -i lo -j DROP

are two completely different rules, the first of which doesn't work (in ~99.9% of cases)

yet both pass and get added to the firewall. And both rules show exactly the same in the state listing (iptables -L -n -v).

And I was wondering why the hell the firewall wasn't working...

rant

sysadmin

firewall

iptables

why me

stupid mistake
Favorite
Ranter
Comments
  • 3
    5y
    some unix apis can be obscure as fuck...
  • 1
    5y
    Take a look at ferm
  • 2
    5y
    Edit: Forgot to mentin the diference.

    The first rule matches only for packets on the literal interface named "!lo"

    The second matches all packets on all interfaces but "lo"

    ...*sigh*
  • 0
    5y
    Made me panic for a second there. Luckily I have the correct rule in my firewall rules, phew
  • 1
    5y
    @Aldar got to admit, now that you told the difference, it kind of make sense

    The syntax is however extremely error prone
  • 1
    5y
    That is the cause i use ufw.
  • 2
    5y
    This is why everyone uses firewalld
  • 2
    5y
    @Commodore yeah, it does. But, there really should be at least a difference in the output of -L -n -v

    I mean, I made the mistake by literally copying what one rule already had - interface specified as !lo

    I only later found out the only way to tell if its indeed "-i !lo" or "! -i lo" is by viewing the raw output of iptables-save.

    Extremely confusing if you ask me.
Related Rants
devRant © 2021 Hexical Labs LLC
Privacy Policy  |  Terms of Service
Add Comment