Ok Jason. I agree with you. When any packet matches a specific rule, it returns to the top level rule that called a down level rule (in this situation, that's the INPUT chain). And if we have no matches in the INPUT chain, iptables uses the default policy (DROP). I tested that DHCP rules and it seems that it's working. I'm running my script for about 2 hours and it didn't crash yet. So, I think that strange behavior was resolved. Im going to test that nice ideas when rebooting the server and another ones suggested in this mail list. Thank you. Giancarlo --- Jason Opperisano <opie@xxxxxxxxxxx> escreveu: > On Fri, 2004-09-10 at 12:41, Aleksandar Milivojevic > wrote: > > > $IPTABLES -N tcp_invalidos > > > > > > $IPTABLES -A tcp_invalidos -p tcp --tcp-flags > SYN,ACK > > > SYN,ACK \ > > > -m state --state NEW -j REJECT --reject-with > tcp-reset > > > $IPTABLES -A tcp_invalidos -p tcp ! --syn -m > state > > > --state NEW -j LOG \ > > > --log-prefix "Novo nao SYN:" > > > $IPTABLES -A tcp_invalidos -p tcp ! --syn -m > state > > > --state NEW -j DROP > > > > Here's the place where you made an error. When > you reach end of > > "tcp_invalidos" chain, default policy for > INPUT/OUTPUT/FORWARD chains > > will be applied (which is DROP). Which means, all > packets will be > > dropped by the firewall. > > i don't know that i agree with this statement. when > a packet reaches > the end of custom chain "tcp_invalidos" and has not > matched any rules in > that chain--it should return to the calling chain > where it left off; > i.e. > > iptables -P INPUT DROP > iptables -A INPUT -j badstuff > iptables -A INPUT -j goodstuff > iptables -A INPUT -j LOG > > a packet not matching any rule in "badstuff" will > return to INPUT, and > then jump to "goodstuff"... if the packet doesn't > match any rule in > "goodstuff" it will return to INPUT, get logged, and > *then* get dropped, > as it has hit the end of the INPUT chain and not > matched any rules. > only then does the POLICY of the chain get enforced. > > -j > > =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ > We don't smoke and we don't chew, and we don't go > with girls that do. -- > Walter Summers > =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ > > > _______________________________________________________ Yahoo! Messenger 6.0 - jogos, emoticons sonoros e muita diversão. Instale agora! http://br.download.yahoo.com/messenger/
