Re: Clear Iptables chains?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jan Humme <jan.humme@xs4all.nl>
To: Antony Stone <Antony@Soft-Solutions.co.uk>, netfilter@lists.samba.org
Subject: Re: Clear Iptables chains?
Date: Mon, 8 Jul 2002 19:14:34 +0200	[thread overview]
Message-ID: <0207081914340A.14428@Lms> (raw)
In-Reply-To: <20020708170139.UTNE19225.mta07-svc.ntlworld.com@there>

On Monday 08 July 2002 19:01, Antony Stone wrote:
> On Monday 08 July 2002 5:34 pm, Jan Humme wrote:
> > On Monday 08 July 2002 17:22, Antony Stone wrote:
> > > I'd prefer to see:
> > > iptables -P INPUT DROP
> > > iptables -P OUTPUT DROP
> > > iptables -P FORWARD DROP
> > >
> > > Then you add in the rules for the stuff your definitely know you want
> > > to allow.
> >
> > Certainly.
> >
> > What about default policies for the nat and mangle tables?
>
> Those should be ACCEPT, unless you're being sneaky/clever, and you
> definitely know what you are doing..
>
> The reasons are simple:
>
> 1. The choice of whether to block or accept packets should be done in the
> filtering table - that's what it's for.   The nat table is for address
> translation, and the mangle table is for packet mangling.   Don't drop
> packets in the nat table; drop them in the filter table.

Makes perfect sense.


> 2. If you start setting default policies of anything except ACCEPT in the
> nat or mangle tables, it's very easy to stop all traffic through your
> firewall, and spend some time scratching your head trying to figure out
> why, because there are no rules in the filter table causing the behaviour
> you observe.

..........as I already found out...............(!).

Jan Humme.

next prev parent reply	other threads:[~2002-07-08 17:14 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-07-08 14:43 Clear Iptables chains? Denis JULIEN
2002-07-08 14:46 ` Lukas Ruf
2002-07-08 14:56   ` Antony Stone
2002-07-08 15:22     ` Antony Stone
2002-07-08 16:34       ` Jan Humme
2002-07-08 17:01         ` Antony Stone
2002-07-08 17:14           ` Jan Humme [this message]
2002-07-08 16:43       ` Ross Vandegrift

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0207081914340A.14428@Lms \
    --to=jan.humme@xs4all.nl \
    --cc=Antony@Soft-Solutions.co.uk \
    --cc=netfilter@lists.samba.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.