Hey, > ### Create Chains > iptables -N IN_LO > iptables -N OUT_LO > iptables -N IN_ETH0 > iptables -N OUT_ETH0 > iptables -N IN_ETH1 > iptables -N OUT_ETH1 > iptables -N BLOCKED_PACKETS > iptables -N ICMP_PACKETS > > ### POLICIES > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT DROP > > ### INPUT > iptables -A INPUT -j BLOCKED_PACKETS
so all incoming packets first have to pass BLOCKED_PACKETS > ### BLOCKING_PACKETS > iptables -A BLOCKED_PACKETS -m state --state INVALID -j DROP > iptables -A BLOCKED_PACKETS -p tcp -m tcp --tcp-flags SYN,ACK \ > SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset looks strange, -p tcp -m tcp, tcp matches are written with -p tcp on the one hand you wanna block all packets that have the syn and ack flag, but one the other side you wanna block state NEW, aren't that two rules in one, does that work? > iptables -A BLOCKED_PACKETS -p tcp ! --syn -m state --state NEW \ > -j DROP block not syn but state NEW, isn't that a contradiction? If those two rules work, in my opinion no tcp connection will work on any interface. Did you take a look at 'iptables -vL'? What does it display? If you introduce logging for debugging purposes can help. Regards Frank
