Am Don, 2003-08-07 um 19.51 schrieb Rob Verduijn: > the default policy that I set is drop > $IPTABLES -t filter -P INPUT DROP > $IPTABLES -t filter -P OUTPUT DROP > $IPTABLES -t filter -P FORWARD DROP > $IPTABLES -t nat -P PREROUTING DROP > $IPTABLES -t nat -P POSTROUTING DROP > $IPTABLES -t nat -P OUTPUT DROP > $IPTABLES -t mangle -P PREROUTING DROP > $IPTABLES -t mangle -P POSTROUTING DROP > $IPTABLES -t mangle -P INPUT DROP > $IPTABLES -t mangle -P OUTPUT DROP > $IPTABLES -t mangle -P FORWARD DROP Don't do this. The mangle and the nat table are only for mangling and natting. Please only filter in the filter table. Once you have understood why some packets traverse the nat table and others do not you may think about filtering in the nat table, but I would advise against it. The above rules are only useful if you do not want any traffic on your machine, like a panic situation. > > I also read that the following allows all the localtraffic > $IPTABLES -A INPUT -i lo -j ACCEPT > $IPTABLES -A OUTPUT -o lo -j ACCEPT > > but why can't I ping localhost????? Because those packets still pass the nat and the mangle table. You drop everything there. Remove the DROP rules in the nat and mangle table. Cheers, Ralf -- Ralf Spenneberg RHCE, RHCX Book: Intrusion Detection für Linux Server http://www.spenneberg.com IPsec-Howto http://www.ipsec-howto.org Honeynet Project Mirror: http://honeynet.spenneberg.org
