Cedric Blancher wrote: > > This file is not a log. [sni] Ah ... thanks for the explanation. > Could you post an iptables-save output for your INPUT chain so we can > have a complete ruleset description ? Sure, here it is: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [29809:39495741] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -d 203.179.86.66 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 219.118.175.0/255.255.255.0 -d 203.179.86.66 -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --dport 67 -j DROP -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset -A INPUT -p udp -m udp --dport 137 -j REJECT --reject-with icmp-port-unreachable -A INPUT -p udp -m udp --dport 138 -j REJECT --reject-with icmp-port-unreachable -A INPUT -p tcp -m tcp --dport 138 -j REJECT --reject-with icmp-port-unreachable -A INPUT -p udp -m udp --dport 139 -j REJECT --reject-with icmp-port-unreachable -A INPUT -j LOG --log-prefix "DROP:" --log-level debug -A OUTPUT -o lo -j ACCEPT COMMIT > It is a bit redundant with previous rule that allows ESTABLISHED and > RELATED packets, whatever source, destination and protocol they may > have. So, ESTABLISHED HTTP packets to 203.179.86.66 would not reach your > rule, being accepted by previous one. Moreover, RELATED is useless, as > HTTP does not have related connections such as FTP or IRC. Ok. So I guess NEW is all I need and RELATED and ESTABLISHED are unnecessary. Jean-Christian Imbeault
