Re: OUTPUT ACCEPT, but can't see out

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On March 3, 2004 08:11 pm, Kevin Mulcahy wrote:
> Hi All
> I have a very simple set of rules, with default policy for INPUT being
> DROP and  default OUTPUT being ACCEPT.
> However, I can't hit anything on the outside.  I can't ping, ssh - nothing.
> When I flush everything I can see outside no problem.
> My script is:
>
> IPTABLES="/sbin/iptables"
> INTERFACE="eth0"
> SERVER="x.x.x.x"
> SSHA1="y.y.y.y"
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P FORWARD DROP
> $IPTABLES -A INPUT -i $INTERFACE -p tcp -s $SSHA1 -d $SERVER --dport 22
> -j ACCEPT
> $IPTABLES -A INPUT -i $INTERFACE -p tcp -s $ALLIP -d $ALLIP --dport 80
> -j ACCEPT
> $IPTABLES -A INPUT -i $INTERFACE -p tcp -s $ALLIP -d $ALLIP --dport 443
> -j ACCEPT
> $IPTABLES -A INPUT -i $INTERFACE -p ALL -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> #Note - this appears to generate an error
> # iptables: No chain/target/match by that name
> # but would that affect OUTPUT ???
> $IPTABLES -A INPUT -i $INTERFACE -p ALL -j RETURN
>
> $IPTABLES -A OUTPUT -o $INTERFACE -p ALL  -j ACCEPT



	Remove the -p ALL from your established related line.
	dont put one it ...covers all.
	
	in answer to the question you commented in there, YES it will ..your policy on 
	input is DROP -- thus you are getting out, but nothing is getting BACK to you.


	Alistair.
>
>
> Cheers
> Kev.
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux