> > Once you hit that rule, the only thing going past > > are INVALID packets so the rest of the INPUT and OUTPUT chains aren't > doing > > anything useful. > > No, the other rules are dealing with packets to interfaces other than lo. Opps, I missed the lo! That means there is no ESTABLISHED,RELATED rule for the Ethernet traffic. My suggestions remove the lo interface which fixes that. So for local traffic add the rule: iptables -A INPUT -i lo -j ACCEPT just after the drop of INVALID state packets. Since I leave the OUTPUT default policy as ACCEPT, I don't have an OUTPUT rule for lo but it would probably be: iptables -A OUTOUT -o lo -j ACCEPT again placed just after the drop of INVALID state packets.
