Re: Help on IPTABLES

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

 
    You'll probably browse with no problems if you use IP addresses. If you try to browse using names (www.something.com), you'll need to do a DNS request for the IP of that hostname. The request will go out with no problems, as OUTPUT is ACCEPT. But DNS reply will be blocked, as INPUT only allows port 80 traffic.
 
    For allowing web browsing ONLY, you'll have to allow AT LEAST packets with source port 53 (TCP and UDP - almost all will be UDP but TCP can be also used). Dont forget HTTPS too, which is port 443.
 
    You should also analyse the RH-Lokkit-0-50-INPUT chain. As packets are getting to this chain BEFORE reaching your rules, if something gets blocked there, it will NEVER reach YOUR rules.
 
    For static rules, you can create them on /etc/rc.d/rc.local. This file will be executed after ALL daemons got UP on the reboot process.
 
    Sincerily,
    Leonardo Rodrigues
 
----- Original Message -----
From: info
Sent: Thursday, October 09, 2003 9:20 AM
Subject: Help on IPTABLES

hi all,

 Can somebody explain to me why is when i changed my Chain INPUT Rules from ACCEPT to DROP, i cannot browse the internet despite opening port 80 in the INPUT rule.
However, when Chain INPUT is changed to ACCEPT, browsing the internet works fine. (Note: CHAIN Output is accept for ALL)


The configurations on my IPTABLES are as follows

Chain INPUT (policy DROP)
target     prot opt source               destination
RH-Lokkit-0-50-INPUT  all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:http
ACCEPT     udp  --  anywhere             anywhere           udp spt:http

Note that my OUTPUT Rules are as follows:

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I have two network cards installed on my pc - running Red Hat 9.0

Routing for static routes are follows:

xx.yy.zz.aa        0.0.0.0         255.255.255.0       U     0      0        0 eth0
xx.0.0.0           0.0.0.0         255.0.0.0           U     0      0        0 eth1
127.0.0.0          0.0.0.0         255.0.0.0           U     0      0        0 lo
0.0.0.0            zz.zz.zz.zz       0.0.0.0           UG    0      0        0 eth0
0.0.0.0            zz.zz.zz.zz       0.0.0.0           UG    0      0        0 eth1

where zz.zz.zz.zz is my gateway to the internet.
eth0 - Interface with local address
eth1 - Interface with Internet address.

By the way, is there a way to save static routes because when i reboot my pc, all routes are lost.

Thanks for any help.

guy


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux