question about table filter, nat and mangle with chain default policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have rule like this

----- rule iptables -----
# Remove any existing rules from all chains
$IPT --flush
$IPT -t nat --flush
$IPT -t mangle --flush
# Delete any user defined chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
# Reset default policy to ACCEPT
$IPT --policy INPUT ACCEPT
$IPT --policy OUTPUT ACCEPT
$IPT --policy FORWARD ACCEPT
$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t mangle --policy PREROUTING ACCEPT
$IPT -t mangle --policy INPUT ACCEPT
$IPT -t mangle --policy FORWARD ACCEPT
$IPT -t mangle --policy OUTPUT ACCEPT
$IPT -t mangle --policy POSTROUTING ACCEPT

# Unlimited traffic on the loopback interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Default policy to DROP
$IPT --policy INPUT DROP
$IPT --policy OUTPUT DROP
$IPT --policy FORWARD DROP
#$IPT -t nat --policy PREROUTING DROP
$IPT -t nat --policy OUTPUT DROP
#$IPT -t nat --policy POSTROUTING DROP
#$IPT -t mangle --policy PREROUTING DROP
#$IPT -t mangle --policy INPUT DROP
#$IPT -t mangle --policy FORWARD DROP
#$IPT -t mangle --policy OUTPUT DROP
#$IPT -t mangle --policy POSTROUTING DROP

# For SSH Connection into Firewall
$IPT -A INPUT -i $LAN_IF -p tcp --sport $SSH_PORTS -d $IPADDR --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $LAN_IF -p tcp ! --syn -s $IPADDR --sport 22 --dport $SSH_PORTS -m state --state ESTABLISHED -j ACCEPT

---------- end rule --------------

this rule ok, because i can ssh-ing into this machine. But if i remove the # from default policy like this

# Default policy to DROP
$IPT --policy INPUT DROP
$IPT --policy OUTPUT DROP
$IPT --policy FORWARD DROP
$IPT -t nat --policy PREROUTING DROP
$IPT -t nat --policy OUTPUT DROP
$IPT -t nat --policy POSTROUTING DROP
$IPT -t mangle --policy PREROUTING DROP
$IPT -t mangle --policy INPUT DROP
$IPT -t mangle --policy FORWARD DROP
$IPT -t mangle --policy OUTPUT DROP
$IPT -t mangle --policy POSTROUTING DROP

i can't ssh-ing into this machine. so is the ssh using nat and mangle table to connect into this machine?
i litle bit confuse about this, why i can ssh-ing into this machine when i drop the nat and mangle table.

thx in advance for your help


      

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux