> $IPTABLES --policy INPUT DROP > $IPTABLES --policy OUTPUT DROP > $IPTABLES --policy FORWARD DROP > > $IPTABLES -t nat --policy PREROUTING DROP > $IPTABLES -t nat --policy OUTPUT DROP > $IPTABLES -t nat --policy POSTROUTING DROP > > $IPTABLES -t mangle --policy PREROUTING DROP > $IPTABLES -t mangle --policy OUTPUT DROP > Problems: > > ping -c 1 localhost is not allowed > > No reports are showing up in the syslogs. I have kernel messages going > to its own seperate file regardless of the log level. > > Question: > > What is wrong? Should not all localhost traffic be unrestricted?
Very simple. Note the 4th through 10th lines above. You're DROPping all packets when they pass through the NAT and mangle chains, because you haven't put any rules there. NAT and mangle chains aren't designed for packet filtering, so they should generally ACCEPT unrecognized packets. This does _not_ change the 'drop-by-default' policy of the firewall as a whole, because all external packets pass through exactly one filter chain - either INPUT, OUTPUT, or FORWARD. (Local packets go through both OUTPUT and INPUT, but the rules you've got in your message should work fine there.) Hope this helps, -EtherMage
