Fabian: Added RELATED to the rule did not help. I am attaching the output of iptables -L -v -n --line-numbers. Any ideas? Thanks, Neil -- Neil Aggarwal, (214)986-3533, www.JAMMConsulting.com FREE! Eliminate junk email and reclaim your inbox. Visit http://www.spammilter.com for details. -----Original Message----- From: centos-bounces@xxxxxxxxxx [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of Fabian Arrotin Sent: Saturday, February 17, 2007 10:04 AM To: CentOS mailing list Subject: Re: CentOS 4.4 blocking outbound connections? On Sat, 2007-02-17 at 09:15 -0600, Neil Aggarwal wrote: > Hello: > > When I installed CentOS 4.4 (from the ServerCD) on my server, I told > it not to install a firewall and I disabled SELinux. The server is > a SuperMicro 5015P-TR. > > I set up my own /etc/init.d/firewall with these rules: > > #!/bin/sh > # Firewall script > # > # Source function library > . /etc/init.d/functions > > RETVAL=0 > > # Some definitions (Will need to change ETH0_IP to match your configuration) > ETH0_IP=38.114.192.86 > > # See how we were called. > case "$1" in > start) > echo -n "Starting firewall: " > /sbin/modprobe ip_conntrack_ftp > > # Set the default policies to drop all packets > /sbin/iptables -P INPUT DROP > /sbin/iptables -P OUTPUT DROP > /sbin/iptables -P FORWARD DROP > > # Flush any existing rules > /sbin/iptables -F > > # Allow loopback traffic > /sbin/iptables -A INPUT -i lo -j ACCEPT > /sbin/iptables -A OUTPUT -o lo -j ACCEPT > > # Allow icmp protocol packets > /sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p icmp -j ACCEPT > /sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p icmp -j ACCEPT > > # Allow ssh connections from the outside world > /sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p tcp --sport 1024: > --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p tcp --sport ssh > --dport 1024: -m state --state ESTABLISHED -j ACCEPT Why not using ESTABLISHED,RELATED instead of just using ESTABLISHED ? Can you also consider giving us the result of `iptables -L -v -n --line- numbers` ? That gives a better view of what the system is using as iptables rules ... > > <snip> -- Fabian Arrotin <fabian.arrotin@xxxxxxxxxx>
Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 2 152 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 2 0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 38.114.192.86 3 111 7916 ACCEPT tcp -- eth0 * 0.0.0.0/0 38.114.192.86 tcp spts:1024:65535 dpt:22 state NEW,ESTABLISHED 4 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 38.114.192.86 udp spt:53 dpts:1024:65535 5 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `INPUT ' Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `FORWARD ' Chain OUTPUT (policy DROP 3 packets, 144 bytes) num pkts bytes target prot opt in out source destination 1 2 152 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 2 0 0 ACCEPT icmp -- * eth0 38.114.192.86 0.0.0.0/0 3 69 10620 ACCEPT tcp -- * eth0 38.114.192.86 0.0.0.0/0 tcp spt:22 dpts:1024:65535 state RELATED,ESTABLISHED 4 0 0 ACCEPT udp -- * eth0 38.114.192.86 0.0.0.0/0 udp spts:1024:65535 dpt:53 5 3 144 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `OUTPUT ' Chain L (0 references) num pkts bytes target prot opt in out source destination
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
