On Wed, 2004-09-01 at 11:46, Mike wrote: > Hi Deepak, > > Thank you for your response. > > On Wed, 1 Sep 2004 09:27:22 -0400, Deepak Seshadri > <dseshadri@xxxxxxxxxxxxxxxxxxxxx> wrote: > > > > If the default policy on your mangle & Nat chain is set to DROP & if you > > have no rules to classify traffic in these tables, all your packets will get > > dropped here. They will not make it to the FILTER table. > > This is a good point and shows where maybe I am starting to MIS-understand. > > 1. Can appended rules override default polices? yes--for example: iptables -P INPUT DROP iptables -A INPUT -j ACCEPT will accept all traffic in the INPUT chain. the POLICY of a chain is only enforced when a packet reaches the last rule in that chain and hasn't matched any rules. > 2. Do you need to include appended rules to parts of the iptables > chain that you are not using, or else all the packets will get > dropped? For example, do you have to set Mangle rules even if you are > not using any Mangling but have set a DROP policy for mangling. if you set the policies of the mangle chains to DROP and then do not append any rules, you can be pretty sure that no traffic will get through. i'd recommend against starting your netfilter adventure by setting the policies of nat & mangle chains to DROP. it will make it a very short trip... -j -- Jason Opperisano <opie@xxxxxxxxxxx>
