On Tue, 2009-04-21 at 13:54 -0600, Lloyd Standish wrote: > On Mon, 20 Apr 2009 13:26:01 -0600, Thomas Jacob <jacob@xxxxxxxxxxxxx> wrote: > > >> > >> iptables -A PREROUTING -i eth0 -t mangle -m state --state ESTABLISHED,RELATED -j RESTOREMARK > > > > This is too restrictive, drop the -i eth0, your forwarded packets from the internet > > will not arrive thru eth0 but still need a CONNMARK -> MARK restore. > > Thanks for your help. > > I tightened up the policies and added rules to pass any packets, for new connections or otherwise, to or from eth0 (the LAN), and drop NEW connection packets except those from the local machine and from LAN. : > > iptables -t filter -P INPUT DROP > iptables -t filter -P OUTPUT ACCEPT > iptables -t filter -P FORWARD DROP > > iptables -t mangle -A INPUT -i eth0 -j ACCEPT > iptables -t mangle -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -t mangle -A FORWARD -i eth0 -j ACCEPT > iptables -t mangle -A FORWARD -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT Do you have the ESTABLISHED stuff also in Output? Otherwise you will block direct access to that box (see the packet traversal graph again).... -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
