On Sat, 2011-10-22 at 16:14 +0200, Azerty Ytreza wrote: > "What exactly are you trying to achieve? If you're changing to a FORWARD > rule then I assume that you are trying to adapt your rules in order to > block connections destined for a remote server, rather than the local > host?" > > I want to limit the number of connections which passtrough the host. Okay, in which case you do want FORWARD. > Yes, I can block that on the remote server but I prefer on the local > if it's possible. Do you really mean "local" (in which case you want OUTPUT) or do you just mean on your gateway/firewall server that all the traffic passes through? > > "Do you really mean UDP?" > > No, it's an error sorry. I have copy/paste other rules and adapt rules > but forget to change udp to tcp. Okay, so it's working now? > "You've got a mixture of INPUT and FORWARD. Is that what you want? > Remember that packets will never transverse both the INPUT and FORWARD > chains." > > The port 443 is blocked by default it's for that which I open and > after redirect. If I made only a FORWARD it's open directly the port > without INPUT rules ? It depends where you're blocking it. What's the default FORWARD rule? ACCEPT? The bottom line is that you need all your rules in FORWARD *or* INPUT. A picture paints a thousand words: http://jengelh.medozas.de/images/nf-packet-flow.png Or for a simpler (out of date) version: http://www.docum.org/docum.org/kptd/ > > > Thank you for your response ! No problem, but please put your responses in-line to the original email rather than copying and pasting to the top! Oh, and copy the list as well. Andy -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
