On Monday, 04.07.2005 at 14:17 +1000, Daniel Pittman wrote: > > *nat > > :PREROUTING DROP [0:0] > > :POSTROUTING DROP [0:0] > > :OUTPUT DROP [0:0] > > COMMIT > > I thought that using a policy of DROP in the nat tables would result in > anything that wasn't NAT-ed being prevented from passing through by > iptables. > > I can't find any documentation one way or the other, though, and don't > want to test on my live systems. Maybe you can try varying that? You might have spotted the problem there. Generally, you should set INPUT, OUTPUT and FORWARD (on the default filter chain) to DROP; but NAT and MANGLE should always be ACCEPT. i.e. iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t mangle -P PREROUTING ACCEPT iptables -t mangle -P OUTPUT ACCEPT Dave. -- Please don't CC me on list messages! ... Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org All email from me is now digitally signed, key from http://www.sungate.co.uk/ Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92
Attachment:
signature.asc
Description: Digital signature