Grading Checklist

A good response must include:

• Identifies the root cause: an earlier, broader DROP rule in the INPUT chain matches the traffic before the ACCEPT rule is evaluated
• Explains iptables rule evaluation order: first match wins, rules are evaluated top to bottom
• Uses iptables -L -n -v --line-numbers to display the full chain with counters and rule positions
• Identifies the specific shadowing rule (e.g., a DROP for all traffic to ports 8000-9000 or from a broad CIDR)
• Notes that the ACCEPT rule's packet counter is 0 (never matched) while the DROP rule's counter is incrementing
• Proposes the fix: either insert the ACCEPT rule above the DROP rule, or modify the DROP rule to exclude port 8443
• Uses iptables -I INPUT <position> to insert the rule at the correct position
• Recommends reviewing and cleaning up the entire ruleset (47 rules suggests organic growth)
• Mentions using iptables -C or testing with LOG target to debug rule matching
• Warns against simply moving the DROP rule to the end (could open unintended access)
• Suggests using a firewall management tool (firewalld, ufw, or nftables) for complex rulesets