[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall-troubleshooting

On Monday, 04.07.2005 at 14:17 +1000, Daniel Pittman wrote:

> > *nat
> > :OUTPUT DROP [0:0]
> I thought that using a policy of DROP in the nat tables would result in
> anything that wasn't NAT-ed being prevented from passing through by
> iptables.
> I can't find any documentation one way or the other, though, and don't
> want to test on my live systems.  Maybe you can try varying that?

You might have spotted the problem there.

Generally, you should set INPUT, OUTPUT and FORWARD (on the default
filter chain) to DROP; but NAT and MANGLE should always be ACCEPT.


iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT

Please don't CC me on list messages!
Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org
All email from me is now digitally signed, key from http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92

Attachment: signature.asc
Description: Digital signature

Reply to: