On Tuesday 15 October 2002 1:47 pm, Neil Hodge wrote: > All: > > I am running directly off the firewall box. I currently have the > following: > > iptables -P OUTPUT ACCEPT > > When I change to this: > > iptables -P OUTPUT DROP > iptables -A OUTPUT -p tcp --destination-port http -j ACCEPT > > I keep getting "domainname can not be found. Please check the name and > try again" from my browser. This only happens for new web sites (i.e., > Yahoo works fine). As this seems somewhat like a DNS issue, I tried > adding this: > > iptables -A OUTPUT -p tcp --destination-port nameserver -j ACCEPT > > but it didn't work. Any ideas? Thanks. Yes. Change the tcp to udp in the last command above :-) By the way, I would recommend adding a LOGging rule to your OUTPUT chain, at the end just before packets get default DROPped, so you can see what you're blocking which you might not realise you want to allow.... There are things like some ICMP packets which you might not realise you should allow out of your machine in order to keep things running nicely. Antony. -- There are two possible outcomes. If the result confirms the hypothesis, then you've made a measurement. If the result is contrary to the hypothesis, then you've made a discovery. - Enrico Fermi
