On Thu, 30 Oct 2003, Rob Sterenborg wrote: > > Just my 0.02, if it's worth that much considering I cant even > > get DNS lookups from my fw working..... > > You have probably set policy to DROP for the OUTPUT chain. > iptables -A OUTPUT -p udp --dport 53 [-d ip_dns] -j ACCEPT > Some would say to also do this for the tcp proto, but this should work. there are definitely two schools of thought: 1) those who set a policy of ACCEPT on OUTPUT and just do all the filtering on INPUT, and 2) those who want to be really specific on both INPUT and OUTPUT. if you want to be really restrictive on your OUTPUT chain, that's fine. but for testing purposes, you might want to open it up, make sure everything works, *then* lock it down and see what breaks. at least you'll be closer to isolating the problem. rday
