2009/4/28 Filipe Brandenburger <filbranden at gmail.com> > Hi, > > On Mon, Apr 27, 2009 at 16:01, Bo Lynch <blynch at ameliaschools.com> wrote: > > I think I found the culprit but not sure if by taking this out it will be > > a risk. When I remove this statement things work.... > > iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP > > > > If I drop the NEW it works. Should I be concerned from I security stand > > point? > > The point of that rule is to drop anything you did not handle before. > That rule is supposed to be the last one in the list of rules. > > The best solution in your case is probably to move your other rules > above that one. > Indeed, that or using iptables -I to insert the other rules... or better yet, do as you say and put the new rules above the DROP and rather than using a script, use /etc/sysconfig/iptables for the configuration and use iptables-restore </etc/sysconfig/iptables to apply changes very fast... What's odd though is that a DROP wouldn't result in a connection refused error, you'd need a REJECT for that, with DROP it would just be a timeout... d -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20090428/9ae7f964/attachment-0005.html>