In your situation, some points should be clarified.
As your rules are not dropping anything, the two given rules will do what
they are proposed to do, but the default ACCEPT will let all the other
connections pass through. Are they useless ?? Of course not ... they WILL do
what they are supposed to do. Those rules will work despite of any default
rule. But, in this situation, allowing some packets and later allowing
everything make your rules somehow nonsense .....
Other thing .... if you get a machine with these two rules and DROP as
default action, your machine will be completly inacessible. You should look
that in the INPUT you're not allowing NEW connections, that means, this machine
will only receive 'return' packets from his own connections. Nobody will be
able to stablish an arbitrary connection to this machine. Altough, you're
apllying RELATED,ESTABLISHED on OUTPUT rule, which means this machine can ONLY
answer connections, and never generate new ones.
So, your INPUT rule is trying to deny all new connections and pass through
only locally generated connections. But OUTPUT is trying to allow ONLY already
established connections and drop all locally originated ones. This absolutely
wont work !!!
And, just in case, dont forget to set an appropriate default rule for your
chains ........
Sincerily,
Leonardo Rodrigues
Quoting Harry <[EMAIL PROTECTED]>:
> i have a stateful iptables like this:
>
> iptables -A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> but what did they actually do when there is no other table (also the
> default
> set to ACCEPT) specified that it was dropped?is it useless? or
>
> thankx before,
> harry
>
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
