> So my question is do I need default policies for the NAT chains ? Michael, it is not necessary for you to specify default policies for the NAT table chains, as dealing with the packets when they get to the FILTER table chains will be sufficient. To illustrate my point, look at figure 3b in the following document ... http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html#section3 The arrow to the extreme left pointing up is where a packet would "enter" your server from the outside. No matter which path it takes till it gets to the "down" arrow at the extreme right, it will pass through either the INPUT, OUTPUT, or FORWARD chains of the FILTER table. Also, any packets destined for your server will hit the INPUT chain first, giving you the opportunity to deal with them. So if you don't specifically have an accept rule defined in the chains of your FILTER table, then packets you haven't intended to ACCEPT/DROP/"whatever" will be dropped before they either exit or pass through your server. I hope this answers your question, Brandon Broyles
