Re: iptables blocking eth0 .. why ?
Hey,
> ### Create Chains
> iptables -N IN_LO
> iptables -N OUT_LO
> iptables -N IN_ETH0
> iptables -N OUT_ETH0
> iptables -N IN_ETH1
> iptables -N OUT_ETH1
> iptables -N BLOCKED_PACKETS
> iptables -N ICMP_PACKETS
>
> ### POLICIES
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
>
> ### INPUT
> iptables -A INPUT -j BLOCKED_PACKETS
so all incoming packets first have to pass BLOCKED_PACKETS
> ### BLOCKING_PACKETS
> iptables -A BLOCKED_PACKETS -m state --state INVALID -j DROP
> iptables -A BLOCKED_PACKETS -p tcp -m tcp --tcp-flags SYN,ACK \
> SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
looks strange, -p tcp -m tcp, tcp matches are written with -p tcp
on the one hand you wanna block all packets that have the syn and ack flag,
but one the other side you wanna block state NEW, aren't that two rules in
one, does that work?
> iptables -A BLOCKED_PACKETS -p tcp ! --syn -m state --state NEW \
> -j DROP
block not syn but state NEW, isn't that a contradiction?
If those two rules work, in my opinion no tcp connection will work on any
interface.
Did you take a look at 'iptables -vL'? What does it display?
If you introduce logging for debugging purposes can help.
Regards
Frank
Reply to: