From: Mart Frauenlob <mart.frauenlob@chello.at>
To: netfilter@vger.kernel.org
Subject: Re: question about table filter, nat and mangle with chain default policy
Date: Sun, 12 Apr 2009 09:11:13 +0200 [thread overview]
Message-ID: <49E19411.5020605@chello.at> (raw)
In-Reply-To: <549735.16160.qm@web46114.mail.sp1.yahoo.com>
my mail wrote:
> I have rule like this
>
> ----- rule iptables -----
> # Remove any existing rules from all chains
> $IPT --flush
> $IPT -t nat --flush
> $IPT -t mangle --flush
> # Delete any user defined chains
> $IPT -X
> $IPT -t nat -X
> $IPT -t mangle -X
> # Reset default policy to ACCEPT
> $IPT --policy INPUT ACCEPT
> $IPT --policy OUTPUT ACCEPT
> $IPT --policy FORWARD ACCEPT
> $IPT -t nat --policy PREROUTING ACCEPT
> $IPT -t nat --policy OUTPUT ACCEPT
> $IPT -t nat --policy POSTROUTING ACCEPT
> $IPT -t mangle --policy PREROUTING ACCEPT
> $IPT -t mangle --policy INPUT ACCEPT
> $IPT -t mangle --policy FORWARD ACCEPT
> $IPT -t mangle --policy OUTPUT ACCEPT
> $IPT -t mangle --policy POSTROUTING ACCEPT
>
> # Unlimited traffic on the loopback interface
> $IPT -A INPUT -i lo -j ACCEPT
> $IPT -A OUTPUT -o lo -j ACCEPT
>
> # Default policy to DROP
> $IPT --policy INPUT DROP
> $IPT --policy OUTPUT DROP
> $IPT --policy FORWARD DROP
> #$IPT -t nat --policy PREROUTING DROP
> $IPT -t nat --policy OUTPUT DROP
> #$IPT -t nat --policy POSTROUTING DROP
> #$IPT -t mangle --policy PREROUTING DROP
> #$IPT -t mangle --policy INPUT DROP
> #$IPT -t mangle --policy FORWARD DROP
> #$IPT -t mangle --policy OUTPUT DROP
> #$IPT -t mangle --policy POSTROUTING DROP
>
> # For SSH Connection into Firewall
> $IPT -A INPUT -i $LAN_IF -p tcp --sport $SSH_PORTS -d $IPADDR --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
> $IPT -A OUTPUT -o $LAN_IF -p tcp ! --syn -s $IPADDR --sport 22 --dport $SSH_PORTS -m state --state ESTABLISHED -j ACCEPT
>
> ---------- end rule --------------
>
> this rule ok, because i can ssh-ing into this machine. But if i remove the # from default policy like this
>
> # Default policy to DROP
> $IPT --policy INPUT DROP
> $IPT --policy OUTPUT DROP
> $IPT --policy FORWARD DROP
> $IPT -t nat --policy PREROUTING DROP
> $IPT -t nat --policy OUTPUT DROP
> $IPT -t nat --policy POSTROUTING DROP
> $IPT -t mangle --policy PREROUTING DROP
> $IPT -t mangle --policy INPUT DROP
> $IPT -t mangle --policy FORWARD DROP
> $IPT -t mangle --policy OUTPUT DROP
> $IPT -t mangle --policy POSTROUTING DROP
>
> i can't ssh-ing into this machine. so is the ssh using nat and mangle table to connect into this machine?
> i litle bit confuse about this, why i can ssh-ing into this machine when i drop the nat and mangle table.
>
> thx in advance for your help
>
Don't set the policy to DROP in mangle and nat table.
Put the drop policy only in filter table.
greets
Mart
next prev parent reply other threads:[~2009-04-12 7:11 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-12 6:32 question about table filter, nat and mangle with chain default policy my mail
2009-04-12 7:11 ` Mart Frauenlob [this message]
-- strict thread matches above, loose matches on Subject: below --
2009-04-12 10:00 my mail
2009-04-12 11:40 ` Amos Jeffries
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49E19411.5020605@chello.at \
--to=mart.frauenlob@chello.at \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.