Move table and target to before the other rule arguments
Some commands in IPTables are order dependent. In particular, I have seen this with the --to-dest and the --to-source arguments for DNAT and SNAT respectively. Below is an example rule which demonstrates the issue. $ iptables -A PREROUTING -p tcp -i eth0 --dport 4000 \ --to-dest -t nat -j DNAT iptables v1.6.0: unknown option "--to-dest" $ iptables -A PREROUTING -p tcp -i eth0 --dport 4000 \ -j DNAT --to-dest -t nat Signed-off-by: Russell Sim <>
diff --git a/src/Propellor/Property/Firewall.hs b/src/Propellor/Property/Firewall.hs
index 736a4458..bbc14473 100644
--- a/src/Propellor/Property/Firewall.hs
+++ b/src/Propellor/Property/Firewall.hs
@@ -44,8 +44,8 @@ rule c tb tg rs = property ("firewall rule: " <> show r) addIpTable
toIpTable :: Rule -> [CommandParam]
toIpTable r = map Param $
val (ruleChain r) :
- toIpTableArg (ruleRules r) ++
- ["-t", val (ruleTable r), "-j", val (ruleTarget r)]
+ ["-t", val (ruleTable r), "-j", val (ruleTarget r)] ++
+ toIpTableArg (ruleRules r)
toIpTableArg :: Rules -> [String]
toIpTableArg Everything = []