Hi Peeps, A weird problem. See my rules below on the INPUT chain. I have NOT allowed 33434:33523 for traceroute on UDP but some people can and some people can't do a traceroute. Any ideas? Traceroute should be accepted only if I open 33434:33523 .. isn't it? Then why is it allowing some in. I'm allowing everything on FORWARD and OUTPUT chain. Also for DNS and Web, do I need to open any specific >1024 ports. That should be covered by ESTABLISHED, RELATED .. isn't it? #Accept ESTABLISHED -A RH-Lokkit-0-50-INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m state --state ESTABLISHED,RELATED --dport 1024: -j ACCEPT #Allow traceroute ###-A RH-Lokkit-0-50-INPUT -p udp --dport 33434:33523 -j ACCEPT #Accept ICMP Ping -A RH-Lokkit-0-50-INPUT -p icmp --icmp-type echo-request -m limit --limit 5/second -j ACCEPT -A RH-Lokkit-0-50-INPUT -p icmp -j LOG # Drop Everything else -A RH-Lokkit-0-50-INPUT -j DROP
