> For the FORWARD chain, see below. > If you only have these 2 rules, your server will be able to connect to > other machines and the internet, but it will not accept new connections. > If your server needs to be accessed by others (webserver, running SSH, > printing server, etc.) you need to define additional rules to allow that > incoming traffic.
Hi Steven and thanks for your reply :-) This is my full iptables config: iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -P INPUT DROP iptables -A INPUT -f -j DROP iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -f -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT below I've rules that open ports, like this (i.e.): iptables -A INPUT -i eth0 -p icmp -j ACCEPT with this way my actually server runs perfectly. Is there other rules to block ddos attack, or other type of attacks? > In the above I am assuming a default policy of 'drop' on at least the > INPUT chain, the command (as root, no quotes) "iptables -L -vn" will > print all currently active rules and the default policy (what should > happen if no rule is matched). If the default policy is 'ACCEPT' those 2 > rules by themselves have no effect. > > Also, be careful no to lock yourself out of the machine if configuring > iptables using SSH. Yep... thanks again! Pol -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51c2df42.2060...@fuckaround.org