It might be as simple as adding “ACCEPT” to the end:
iptables -A INPUT -p tcp -j ACCEPT
A somewhat more effective set of rules would be:
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
iptables -A INPUT -p 50 -j ACCEPT
iptables -A INPUT -p 51 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
The effect of these rules would be to allow any connections/packets originating from within the LAN subnet 192.168.1.0/255.255.255.0 (or in layman's language, 192.168.1.0-255) and to reject most other connections/packets. For a packet to make it into your system, it has to answer “yes” to one of the first six rules.
The first four rules are some basic housekeeping rules. The next rule (ESTABLISHED,RELATED) allows any communications previously established to continue. The following rule (NEW) dictates the terms on which a new communication would be accepted: that it originates from your subnet (192.168.1.0/24 in this example, but substitute your own subnet, which is probably 172.23.34.0/24).
The last rule terminates any connections/packets that were not accepted by the previous rules.
You may need other rules for specific servers if you are running any servers (apache, sendmail, vsftpd, etc.)
Last edited by WhatsHisName; 10-25-2005 at 06:34 AM.