-----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of swissguy@xxxxxxxxxx Sent: Wednesday, April 28, 2004 3:04 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: default policy for nat/mangle table hello i have a pretty basic problem, but i dont understand it really os debian kernel 2.4.18-bf2.4 iptables version 1.2.6a-5 i wrote the following testscript: #!/bin/bash IPT="/sbin/iptables" $IPT -F $IPT -t nat -F $IPT -t mangle -F $IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -t nat -P PREROUTING DROP $IPT -t nat -P OUTPUT DROP $IPT -t nat -P POSTROUTING DROP $IPT -t mangle -P PREROUTING DROP $IPT -t mangle -P INPUT DROP $IPT -t mangle -P FORWARD DROP $IPT -t mangle -P POSTROUTING DROP $IPT -t mangle -P OUTPUT DROP $IPT --delete-chain $IPT -t nat --delete-chain $IPT -t mangle --delete-chain when i boot and all the policies are in all 3 tables accept i can do what i want. now i set the default policy from nat and mangle to drop (there are no rules) but somehow it has influence on my filter table, i cant ping or access with ssh. now i was thinking that maybe every packet goes through mangle prerouting before it comes to filter table and thats the reason for. but i am not sure and it would be nice to understand whats going on or what i am doing wrong also in the book i use (linux firewall by r.ziegler) the example contains also to set default to drop on ALL 3 tables. thanks for you help Francis I'm a little late getting to this so you may have a better answer than what I'm about to give you. But . . . Setting you NAT table chains to default DROP would be enough to give anyone nightmares. I set all my default FILTER chains to DROP, MANGLE to ACCEPT, and NAT to ACCEPT. Never done me wrong yet. Let us know if you need more help.
