I've been having some trouble with a firewall blocking traffic between two servers recently and want to check how iptables handles multiple rules applying to the same IP. If I run iptables -L -n | grep I see this output:

ACCEPT    all  --
DROP      all  --
ACCEPT    all  --  
DROP      all  --  

How will iptables process these rules? Will all traffic from be dropped?

Dave Child
  • 297
  • 5
  • 15

3 Answers3


running iptables -L -n does not give you the interface names the rules might have defined as conditions. Rules that look alike with different targets are probably conditioned for different interfaces unless they have been written a) in a hurry b) by an absent-minded admin c) as a temporary workaround for something or d) all of the above

Use iptables -L -v -n instead.

To answer your question: the packet fate is decided by the first matching rule with a terminal target (ACCEPT and DROP are such targets, but there are others like RETURN which are not terminal so the processing goes on). If there is no such rule, the chain default policy applies which is ACCEPT by default and can be changed via iptables -P <ACCEPT, DROP>.

See this rather good workflow document for details.

  • 40,319
  • 13
  • 105
  • 169

Hard to say since you're not displaying for which chains these rules apply.

Easily said: For a firewall you've got to start with the FORWARD chain and follow all rules that match in sequence until you hit an ACCEPT, DROP or REJECT

If you reach the end of all rules this way, the FORWARD's default policy applies.

  • 195
  • 3
  • Lines 1 and 2 above are in the same chain (on sequential lines) and lines 3 and 4 are on sequential lines in a different chain. If I've understood you correctly, if lines 1 and 2 above are in the same chain, and it reaches line 1, it will ignore line 2 - is that right? – Dave Child Oct 14 '11 at 09:25
  • yes: 1st one accepts all traffic coming from, the 2nd line will never be reached. 3rd line Accepts all traffic going to and the 4th line will never be reached. – ktf Oct 14 '11 at 09:55

My personal favorite of understanding iptables rulesets is the command iptables-save, which dump all rules to stdout. This helps to get the idea of the right order of rules.

A full picture of packet traversal in iptables is here: http://www.frozentux.net/iptables-tutorial/images/tables_traverse.jpg

  • 291
  • 1
  • 4