Without using stateful rules, a default DROP policy means that you must have explicit rules to ACCEPT the return packets from locally initiated stuff. This can be very hard to get right (if it is even possible to get right).
IMO, the following stateful rules work well and simplify things a great deal when using a default DROP policy. iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Those above two rules are ALL YOU NEED to have a 'pretend I'm not here, unless I've initiated the conversation' type setup. Everything just works. This even takes care of ACCEPTing the ICMP 'need to fragment' messages that are commonly -- improperly -- blocked by novice firewall admins. Now if you have local services that you want to allow connections to, you create a rule for each service. For example, these two rules would allow inbound SSH and HTTP. iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT Finally, if you wish, you can create a logging rule to see what is hitting the DROP policy. iptables -A INPUT -m limit --limit 1/sec --limit-burst 10 -j LOG --log-prefix 'INPUT-DROP: ' Dax Kelson Guru Labs -- Psyche-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/psyche-list
