Hi, On Thursday 17 March 2005 16:25, Felix Günther wrote:
Stefan.Junge@ssi-schaefer.de schrieb:
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
iptables -F iptables -t nat -F iptables -X
You flush the tables (iptables -F) after you set your Policies. You should exchange these two blocks: First flush, then set the policies.
No, you should not. You would open a race condition otherwise (intrusion between "opening" everything. It works the way Stefan tried: han:~ # iptables -L FORWARD Chain FORWARD (policy ACCEPT) target prot opt source destination han:~ # iptables -P FORWARD DROP han:~ # iptables -F FORWARD han:~ # iptables -L FORWARD Chain FORWARD (policy DROP) target prot opt source destination (in other words: flushing a chain does _not_ "reset" it's default policy) ---------------- Stefan, 1) As you don't post your complete script, it's difficult to find anything wrong. The "my_dump" chain is not accessed in your excerpt. It remains open whether just the logging fails, or the chain is not entered at all. You might consider configuring syslog for "kern.*" instead of "Kern.*" (or even better, use --log-level {whatever} and configure syslog accordingly). Although syslog in fact seems to be case-insensitive in this respect, lower case is "more correct[tm]". 2) So what is happening to the default policy? Does it remain ACCEPT? Have you tried to do some "iptables -L" during the script to see where the policy is "changed back", whether it is set at all, ...? Bastian -- Bastian Friedrich bastian@bastian-friedrich.de Adress & Fon available on my HP http://www.bastian-friedrich.de/ \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ \ MS Windows -- From the people who brought you EDLIN!