2009/4/28 Filipe Brandenburger <filbranden@gmail.com>
Hi,

On Mon, Apr 27, 2009 at 16:01, Bo Lynch <blynch@ameliaschools.com> wrote:
> I think I found the culprit but not sure if by taking this out it will be
> a risk. When I remove this statement things work....
> iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP
>
> If I drop the NEW it works. Should I be concerned from I security stand
> point?

The point of that rule is to drop anything you did not handle before.
That rule is supposed to be the last one in the list of rules.

The best solution in your case is probably to move your other rules
above that one.

Indeed, that or using iptables -I to insert the other rules... or better yet, do as you say and put the new rules above the DROP and rather than using a script, use /etc/sysconfig/iptables for the configuration and use iptables-restore </etc/sysconfig/iptables to apply changes very fast...

What's odd though is that a DROP wouldn't result in a connection refused error, you'd need a REJECT for that, with DROP it would just be a timeout...

d