I need to create a new chain to treat a specific IP, say 192.168.0.101.
In this new chain, this IP will have access to all services, except FTP.
My solution is:
iptables -N IP1
iptables -A IP1 -p tcp --dport 20 -j DROP
iptables -A IP1 -p tcp --dport 21 -j DROP
iptables -A IP1 -j ACCEPT
iptables -A INPUT -s 192.168.0.101 -j IP1
Is the solution correct? Does two rules with –sport 20, 21 are required for incoming packets?
Best Answer
Your suggested rules should work, but there may be cases where a DROP in a chain is not the correct action.
For example if you wanted some later rule
INPUT
chain to permit ftp access to some specific destination for all hosts on your network.In this case a
RETURN
might be a better choice. Assuming the policy of your INPUT chain isDROP
this would probably also have the same results.