Am I right in thinking that prior to a packet going to INPUT or FORWARD there is a decision made? The packet does not go to INPUT first, right? Why, if I set INPUT's default policy to DROP does this not work? Ideally I'd want all policies to DROP, which I'm assuming is essentially a deny unless permitted assumption for the ruleset, but that doesn't work.
We're running iptables 1.2.5 on kernel 2.4.18. The fact that this works makes NO sense to me given every other packet filtering mechanism I've worked with. Maybe a compile issue? Feedback appreciated. This works: Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- network.126.0/24 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- network.97.0/24 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy DROP) target prot opt source destination ACCEPT tcp -- network.97.0/24 network.104.180 tcp dpt:80 ACCEPT tcp -- network.120.0/21 network.104.180 tcp dpt:80 ACCEPT tcp -- network.120.0/21 network.104.180 tcp dpt:443 ACCEPT tcp -- network.97.0/24 network.104.180 tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- local 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 local state RELATED,ESTABLISHED
