why does this iptable rule work at a specific position in the chain

Question

I'm running OpenWrt on my router, which allows me to run applications such as apache and emule. I installed emule but I keep getting lowid, indicating that my port is misconfigured. I was able to solve this by SSHing into my router and editing iptables. My INPUT table originally looked like this...

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            
syn_flood  tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN 
input_rule  all  --  anywhere             anywhere            
input      all  --  anywhere             anywhere

If I add this rule I get highid, indicating that my port is properly configured...

iptables -I INPUT 2 -p tcp --dport 4662 -j ACCEPT

After running this my INPUT table looks like...

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:4662 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            
syn_flood  tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN 
input_rule  all  --  anywhere             anywhere            
input      all  --  anywhere             anywhere

Notice the position. If I try to make it the 1st or 2nd rule in the chain, it gives me highid. If I go anywhere below that (rules 3-6) I still get lowid. I know very little about iptables, but I do understand that the rules in the INPUT chain are checked in order. From what I can see, my rule works when checked before or after all invalid packets are dropped.

I don't understand why it does not work after accepting all related or established packets. Can anyone explain to my why this rule works at position 1 or 2, but not any others?

Answer 1

It's not working below the "state RELATED,ESTABLISHED" rule because that permits only incoming packets which are related to existing connections; since you don't have any ports open other than 4662, such packets can only originate from hosts to which you've opened an outgoing connection.

The port 4662 rule is fine where it is and in the right place, but if you really want it to work anywhere in the chain, add '-m state --state NEW' to the iptables command you're using to create it; this will explicitly indicate that incoming connection request packets should be accepted on that port.