2007/2/23, Andres Baravalle <andres.baravalle@xxxxxxxxx>:
iptables -L FORWARD Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED REJECT tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN reject-with tcp-reset DROP all -- anywhere anywhere state INVALID ACCEPT tcp -- anywhere SERVER_B tcp dpt:10022 ACCEPT all -- anywhere anywhere LOG tcp -- anywhere SERVER_B LOG level warning If I connect from server A to localhost, port 10022, it works. If I connect from any other machine to server A, port 10022, it doesn't.
Apparently the problem is in the FORWARD chain. If I set the default policy to ACCEPT, it will work: iptables -L FORWARD Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere SERVER_B tcp dpt:10022 REJECT tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN reject-with tcp-reset DROP all -- anywhere anywhere state INVALID ACCEPT all -- anywhere anywhere But I don't feel too comfortable having ACCEPT has default value. Any suggestions? Andres
