Iptables bang position

Kriss asked:

I am trying to set up this rule :

 iptables -A INPUT -i eth1 -p tcp -s ! 10.111.11.0/24 --dport ssh --syn -m state --state NEW -j ACCEPT

but it doesnt work. When i change place of !

 iptables -A INPUT -i eth1 -p tcp ! -s 10.111.11.0/24 --dport ssh --syn -m state --state NEW -j ACCEPT

its ok but i am not sure is it working correctly. In every tut on net “!” is between -s and ip not in front of it.

My answer:


Your second example is correct.

The first example is an old and deprecated way of writing such rules; current versions of iptables will print a warning, or refuse the rule entirely, if you use it.

Old tutorials on the Internet, of course, have old information.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.