Re: Default deny rule

[Gopinath <gopinath.u@gmail.com>]

Thank your very much Lajos !!!!!!!!!!!!!!!

It is working fine now after adding the line "-m conntrack --ctstate
DNAT" in the ACCEPT statement of the FORWARD chain as you've said in
previous mail.

Could you please explain how it works after adding the line "-m
conntrack --ctstate DNAT" in the ACCEPT stmt of FORWARD chain ? I'm
very eager to know this :-)

Regards,
Gopinath.U


I have also upgraded my iptables to version 1.3.7

On 5/29/07, Gáspár Lajos <swifty@freemail.hu> wrote:
> Hi Gopinath,
> > Hi Lajos,
> >
> > Thanks for your suggestion.
> >
> > I had upgraded my OS  to fedora 6, and also enabled logging option for
> > the DROP packets. Now the Default denying functionality is working
> > fine. But this time I face another problem. ie., i have applied static
> > NAT on my firewall. In my simulation setup i am able to connect the
> > other end (INTERNAL) machine using the NAT IP assigned, from the
> > EXTERNAL machine as well through the actual IP of the
> > machine(INTERNAL). This spoil my purpose for NATTING. I don't know why
> > this happen. I suspect that there could be some problem with my NAT
> > module. Please suggest...
> I think that this is not a NATing but a routing problem.
> I do not know your current script but maybe there is an accept that
> allows this state.
> I would add the following option to the ACCEPT rule in the FORWARD chain:
>
> -m conntrack --ctstate DNAT
>
> >
> > Is there any need to upgrade my kernel to add further support ?
> >
> I do not think so but it is good to have an up-to-date system.
> > Regards,
> > Gopinath. U
>
> Swifty