Le ven 12/09/2003 à 12:09, Payal Rathod a écrit : > Just confirming this from all. Please check whether this is ok. [...] > $IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT With this rule, you will just accept anything, except INVALID packets that are quite uncommon (very most of them are ICMP). > $IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 53 -j ACCEPT > $IPTABLES -A FORWARD -s 125.125.125.0/32 -p udp -m tcp --dport 53 -j ACCEPT > $IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 80 -j ACCEPT > $IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 110 -j ACCEPT Thoses rules won't get reached, as first one accept all packets. You should consider this instead : $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp \ -m tcp --dport 53 -j ACCEPT $IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p udp \ -m tcp --dport 53 -j ACCEPT $IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp \ -m tcp --dport 80 -j ACCEPT $IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp \ -m tcp --dport 110 -j ACCEPT Keeping ESTABLISHED,RELATED rule at top of ruleset is an optimization, as most packet you will receive will have ESTABLISHED state. It's better to treat them early so they don't go through the whole chain. > echo "1" > /proc/sys/net/ipv4/ip_forward > > $IPTABLES -P FORWARD ACCEPT > ^^^^^^ > $IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT Same than below. It's about the same than an policy set to ACCEPT... > Can I now change the ACCEPT statement to DROP without any fear? Sure. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
