RE: Help on IPTABLES

["Gilles Yue" <gyue@xxxxxxxxxxxxxxxxxx>]

Dear Leonardo,

                        Thanks for your reply.

 

I’ve just allowed port 53/443 as well. Still cannot browse. Do u think it’s got something to do with the routing of my two network cards.

 

                        When I change my INPUT chain to accept all, browsing works. (Note I am talking about browsing on the host where iptables has been installed)

 

                        Or do I have to insert a new rule to enable NAT. Below is my chain rules. Thanks for replying.

 

gilles

 

 

Chain INPUT (policy DROP)

target     prot opt source               destination

RH-Lokkit-0-50-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:80

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:80

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:443

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:443

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp spt:53

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          udp spt:53

 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

RH-Lokkit-0-50-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

 

Chain RH-Lokkit-0-50-INPUT (2 references)

target     prot opt source               destination

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp

dpts:0:1023 flags:0x16/0x02 reject-with icmp-port-unreachable

REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:2049

flags:0x16/0x02 reject-with icmp-port-unreachable

REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          udp

dpts:0:1023 reject-with icmp-port-unreachable

REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:2049

reject-with icmp-port-unreachable

REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp

dpts:6000:6009 flags:0x16/0x02 reject-with icmp-port-unreachable

REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:7100

flags:0x16/0x02 reject-with icmp-port-unreachable

 

 

 

 

-----Original Message-----
From: Leonardo Rodrigues Magalhães [mailto:leolistas@xxxxxxxxxxxxxx]
Sent: Saturday, October 11, 2003 6:33 PM
To: info; netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: Help on IPTABLES

 

 

    You'll probably browse with no problems if you use IP addresses. If you try to browse using names (www.something.com), you'll need to do a DNS request for the IP of that hostname. The request will go out with no problems, as OUTPUT is ACCEPT. But DNS reply will be blocked, as INPUT only allows port 80 traffic.

 

    For allowing web browsing ONLY, you'll have to allow AT LEAST packets with source port 53 (TCP and UDP - almost all will be UDP but TCP can be also used). Dont forget HTTPS too, which is port 443.

 

    You should also analyse the RH-Lokkit-0-50-INPUT chain. As packets are getting to this chain BEFORE reaching your rules, if something gets blocked there, it will NEVER reach YOUR rules.

 

    For static rules, you can create them on /etc/rc.d/rc.local. This file will be executed after ALL daemons got UP on the reboot process.

 

    Sincerily,

    Leonardo Rodrigues

 

----- Original Message -----

From: info

To: netfilter@xxxxxxxxxxxxxxxxxxx

Sent: Thursday, October 09, 2003 9:20 AM

Subject: Help on IPTABLES

 

hi all,

 Can somebody explain to me why is when i changed my Chain INPUT Rules from ACCEPT to DROP, i cannot browse the internet despite opening port 80 in the INPUT rule.
However, when Chain INPUT is changed to ACCEPT, browsing the internet works fine. (Note: CHAIN Output is accept for ALL)


The configurations on my IPTABLES are as follows

Chain INPUT (policy DROP)
target     prot opt source               destination
RH-Lokkit-0-50-INPUT  all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:http
ACCEPT     udp  --  anywhere             anywhere           udp spt:http

Note that my OUTPUT Rules are as follows:

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I have two network cards installed on my pc - running Red Hat 9.0

Routing for static routes are follows:

xx.yy.zz.aa        0.0.0.0         255.255.255.0       U     0      0        0 eth0
xx.0.0.0           0.0.0.0         255.0.0.0           U     0      0        0 eth1
127.0.0.0          0.0.0.0         255.0.0.0           U     0      0        0 lo
0.0.0.0            zz.zz.zz.zz       0.0.0.0           UG    0      0        0 eth0
0.0.0.0            zz.zz.zz.zz       0.0.0.0           UG    0      0        0 eth1

where zz.zz.zz.zz is my gateway to the internet.
eth0 - Interface with local address
eth1 - Interface with Internet address.

By the way, is there a way to save static routes because when i reboot my pc, all routes are lost.

Thanks for any help.

guy