-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "Peter" == Peter Cordes <[EMAIL PROTECTED]> writes:
Peter> If you set INPUT policy to DROP, doesn't that drop everything, Peter> not just incoming SYN packets? If you want to be able to Peter> establish any connections from the machine to anywhere else, Peter> e.g. for an apt-get update (downloading stuff with ftp or http), Peter> you need to allow that with iptables. The rule you gave will let Peter> the replies to your SYN be dropped. I'm just learning iptables, Peter> and I haven't figured out the connection tracking stuff yet. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT should do the trick. If you use ftp, you should load the ip_conntrack_ftp module, or use passive mode. (FTP needs some special handling since it sends the data over a different port.) You may also want to accept incoming icmp packets: iptables -A INPUT -p icmp -j ACCEPT - -- Hubert Chan <[EMAIL PROTECTED]> - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8uQ7nZRhU33H9o38RAtfcAJ9Sh+qiUGv8aLjac2dbgRfrXjsudgCgzc6t EmCaBsCXbtEz3/PNwoJQ6I0= =HdB+ -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
