Hello, a.schild@xxxxxxxxxxx a écrit : > > Rule 15 is the one which should allow everything "local" on the firewall > > # > # Rule 15 (global) > # > echo "Rule 15 (global)" > # > # > # > $IPTABLES -N Cid4A4A84F123430.0 > $IPTABLES -A INPUT -s myip -m state --state NEW -j Cid4A4A84F123430.0 > $IPTABLES -A INPUT -s 127.0.0.1 -m state --state NEW -j Cid4A4A84F123430.0 > $IPTABLES -A Cid4A4A84F123430.0 -d myip -j ACCEPT > $IPTABLES -A Cid4A4A84F123430.0 -d 127.0.0.1 -j ACCEPT > $IPTABLES -N Cid4A4A84F123430.1 > $IPTABLES -A OUTPUT -s myip -m state --state NEW -j Cid4A4A84F123430.1 > $IPTABLES -A OUTPUT -s 127.0.0.1 -m state --state NEW -j Cid4A4A84F123430.1 > $IPTABLES -A Cid4A4A84F123430.1 -d myip -j ACCEPT > $IPTABLES -A Cid4A4A84F123430.1 -d 127.0.0.1 -j ACCEPT I do not see here "a rule which allows everything in/out on the lo interface". Such rules would be : iptables -A INPUT -i lo -j ACCCEPT iptables -A OUTPUT -o lo -j ACCCEPT Instead, your rules accept only packets in the NEW state (RST packets are never in that state) whose source and destination addresses are "myip" or 127.0.0.1 (not only 127.0.0.1 but also the whole 127.0.0.0/8 range may be used on the loopback interface). -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
