Hi Tolga, iptables working in way that it first check first rules that are writen in your firewall script. So you first have to allow everything you want and after that to stop traffic you do not wanted. If you have rules , A, B , C , D written in script in this order A B C D iptables will check rule A first and so on. If rule A drop some traffic it will be droped even if you allow it again in rule B, or some other rule after A. for example iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -j DROP iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT the first rule will be just checked and you will not be able to accept new connections in INPUT chain ( first rule ) even you allow it in seccond one. To drop everything you can use for example iptables -A INPUT -s 0/0 -p tcp --syn -j DROP iptables -A INPUT -s 0/0 -p udp -j DROP but apply these rules after all your rules that allow necessary traffic. I recommend you to read ( in my opinion the best manual I ever read ) http://iptables-tutorial.frozentux.net/iptables-tutorial.html So conclusion will be,iptables looks first rules first. See of course man iptables. Regards Elvir Kuric To drop everything you can use for example iptables -A INPUT -s 0/0 -p tcp --syn -j DROP iptables -A INPUT -s 0/0 -p udp -j DROP but apply these rules after all your rules that allow necessary traffic. I recommend you to read ( in my opinion the best manual I ever read ) http://iptables-tutorial.frozentux.net/iptables-tutorial.html So conclusion will be,iptables looks first rules first. See of course man iptables. Regards Elvir Kuric --- Tolga Onbay <tolgaonbay@xxxxxxxxx> wrote: > Hi, > > I want to drop all connections from/to subnet if I > don't allow. For example, accept msnmessenger > protocol with l7-filter and forward all 80 > connections to content filtering software. Then I > want to drop all connections. I write the rules and > add the default action type to Drop. But now the > clients cannot connect to msnmessenger. (I write the > msnmessenger rule to FORWARD chain) > > Also, noone answer my previous mail, If I asked to > wrong group or something wrong with the subject > please remind me. > > Thanks > > > Tolga > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
