Thanks for your reply, > > iptables -A INPUT -i lo -m state --state NEW -j ACCEPT > > iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT > > If your firewall has a policy of DROP for any traffic that is not > explicitly allowed then this rule would not work for any thing other than > the first packet. Try using this instead: You're right, but in fact I didn't give the whole configuration. The iptables script is generated by Fwbuilder and the following lines are relevant: # Default policy is to DROP everything $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP # First accept any related, established packets $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # # Then Rule 0 for the loopback interface # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Then other traffic rules for eth0, and non-interface specific rules # > ...Try using this instead: > iptables -A INPUT -i lo -m state --state NEW,RELATED,ESTABLISHED -j > ACCEPT > iptables -A OUTPUT -o lo -m state --state NEW,RELATED,ESTABLISHED -j > ACCEPT I think the "# First accept any related, established packets" rules should do the same as the proposed modification. Am I right? Thibault
