Without using stateful rules, a default DENY policy means that you must have explicit rules to ACCEPT the return packets from locally initiated stuff. This can be very hard to get right (if it is even possible to get right). IMO, the following stateful rules work well and simplify things a great deal when using a default DENY policy. iptables -P INPUT DENY iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Those above two rules are ALL YOU NEED to have a 'pretend I'm not here, unless I've initiated the conversation' type setup. Everything just works. This even takes care of ACCEPTing the ICMP 'need to fragment' messages that are commonly -- improperly -- blocked by novice firewall admins. Now if you have local services that you want to allow connections to, you create a rule for each service. For example, these two rules would allow inbound SSH and HTTP. iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT Finally, if you wish, you can create a logging rule to see what is hitting the DENY policy. iptables -A INPUT -m limit --limit 1/sec --limit-burst 10 -j LOG --log-prefix 'INPUT-DENY: ' Dax Kelson Guru Labs -- Psyche-list mailing list Psyche-list@redhat.com https://listman.redhat.com/mailman/listinfo/psyche-list