--policy DROP kills everything?
busby at edoceo.com
Thu Jun 9 20:21:56 CEST 2005
R. DuFresne wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> We found that in a 1:1 nat setup the policy for the forward chain has to
> be accept or traffic will not flow.
> Ron DuFresne
My box only has rules in the INPUT chain, doesn't do IP forwarding/routing at all.
I have these rules below:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 127.0.0.0/8 0.0.0.0/0
ACCEPT udp -- 192.168.42.1 0.0.0.0/0 udp dpt:53
ACCEPT udp -- 192.168.42.1 0.0.0.0/0 udp dpt:123
ACCEPT udp -- 192.168.42.1 0.0.0.0/0 udp dpt:514
ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:80
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
An cannot make new connections to port 22 or port 80, I see it in the logs.
An existing ssh connection will stay if I connect with no rules then run iptables-restore.
This seems totally odd to me. The UDP traffic is also blocked. Everyone is telling me that these rules should work,
new connections should be allowed and such but it's not the case. Here's what my modules look like:
imperium root # lsmod
Module Size Used by
ipt_LOG 6272 1
ipt_state 1472 1
ip_conntrack 39860 1 ipt_state
iptable_filter 2944 1
ip_tables 16320 3 ipt_LOG,ipt_state,iptable_filter
So everything looks loaded OK too, but it's not working, I even added this rule:
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
But still cannot make a new connection to port 22 or 80, what gives? What do I try now?
More information about the netfilter