Re: --policy DROP kills everything?

[David Busby <busby@edoceo.com>]

Damon Gray wrote:
> David,
>     Sorry, but all I can suggest is getting rid of the -i eth0 on the 
> port 22 and port 80 rules because you won't be able to connect from lo0 
> with that. You also don't need the the --state NEW rule for ssh either, 
> your allow anything to port 22 will be enough for that and anything 
> destined for port 22. And also (like someone else suggested) put the 
> --state ESTABLISHED,RELATED at the top. Other than that your rules look 
> correct to me. Is there anything in any of the other tables? Like if you 
> do a iptables -t nat -nvL or -t mangle? What kernel are you running?
> 
> Sorry I couldn't be of more help.
> 
> -Damon-
> 

I appreciate all the help this list is providing, it seems very odd to me and it's nice to know it's also confusing to
others ;)  I've got no other tables, no nat, no mangle (I didn't even build those modules)  I moved EST,REL to the top,
it was last while I was testing.  I'm still at the same state, my established is OK but NEW (tcp/udp) are not.  I'm
using kernel 2.6.10-gentoo-r6, so it's vanilla with gentoo patches.  I've fetched 2.6.11-gentoo-r9 and am currently
building it, I'll try my rules with it.

I also tried getting rid of the interface parameter rules, no help.  I tried getting rid of destination IP rules, no go.
I ended up with this very loose setup

imperium syslog-ng # iptables -nv -L
Chain INPUT (policy DROP 43 packets, 3392 bytes)
  pkts bytes target     prot opt in     out     source               destination
     6   312 ACCEPT     all  --  *      *       127.0.0.0/8          0.0.0.0/0
  4067 3419K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:514
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:123
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
     3   180 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    43  3392 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 3270 packets, 277K bytes)
  pkts bytes target     prot opt in     out     source               destination

But I still cannot connect :(  My TCP and UDP traffic is still dead.  Do I need to enable something in /proc?  This
machine isn't forwarding or being a router, the rules are only to protect this single host.  I've unloaded and reloaded
the kernel modules no go.

(time passes)

Rebooted with the 2.6.11-gentoo-r9 kernel, set my firewall rules and presto!
Every thing is working perfectly with the above rules.
I then went through and tied the rules to more be more specific and it's all still working perfect.
Glad that's over, thanks to everyone who helped out!

/djb