James Austin wrote: > The default policy in your script is very early on, the iptables will > match the first rule found and use that so I always put default policy > last.
By the very definition of "default policy", it is only ever examined *after* all rules within the appropriate chain have been examined; i.e. the default policy only comes in to play if there is no rule within the chain which matches the packet and provides a terminal target. It is generally considered A Good Thing(tm) to set the default policy *as early as possible* within such a script, thus ensuring that no undesired packets are accepted whilst the rules are being reconfigured. As a side note re your script, I'm assuming that the second "$IPT -t nat -F" is actually supposed to be "$IPT -t nat -X"? hth Adam
