Hello, Pol Hallen a écrit : > > This is my full iptables config: > > iptables -F > iptables -t nat -F > iptables -t mangle -F > iptables -X
OK. > iptables -P OUTPUT ACCEPT Should be DROP as well. > iptables -P FORWARD DROP > iptables -P INPUT DROP OK. > iptables -A INPUT -f -j DROP Useless. IPv4 connection tracking (needed by the 'state' match) reassembles packets so iptables won't see any fragments. > iptables -A INPUT -m state --state INVALID -j DROP Useless if policy is already DROP and further rules accept only state NEW, ESTABLISHED or RELATED. > iptables -A OUTPUT -f -j DROP See above. > iptables -A OUTPUT -m state --state INVALID -j DROP See above. > iptables -A INPUT -i lo -j ACCEPT OK. > iptables -A OUTPUT -o lo -j ACCEPT Useless if policy is left to ACCEPT. > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT OK. > iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT Useless if policy is left to ACCEPT. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d02d80.7020...@plouf.fr.eu.org
