I wrote the following script for my webserver. When I run it however I loose the ability to access any ports or even ping from the local host. I thought that the line i worte with 127.0.0.1 would take care of that. I also though the last two lines would basically force the server to close all OTHER ports. Not the ones listed here. Do I have some syntax wrong here I'm missing?

#!/bin/sh
#Script for configuring 'Firewall' Rules
#Written by Chris Jones <gnd.zer0@gmail.com>

#Basic Rules?

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

#SSH
iptables -A INPUT -d 10.0.0.xx -p tcp --dport xxx -j ACCEPT

#HTLM Own Cloud
iptables -A INPUT -d 10.0.0.xx -p tcp --dport xxx -j ACCEPT
iptables -A INPUT -d 10.0.0.xx -p tcp --dport xxx -j ACCEPT
#Probably a Good idea to take requests from my self
iptables -A INPUT -d 10.0.0.xx -s 127.0.0.1 -j ACCEPT

#Lock It down
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT

Put
at the beginning and remove the last two lines.
There are, anyway, different conceptual errors, but, sorry, now I've few time.

Firstly may I ask, what is the point/purpose of redacting your local IP addresses and ports? It does nothing to help you in the "security by obscurity" school of thought, and really makes helping you a crystal ball job.

To enable traffic on the loopback interface, you would need to use a rule such as
Which will accept anything and everything on the loopback interface. This is usually standard practice.

Since you are running a webserver you are most likely going to want to allow access to either the entire internet, or an entire lan. Matching by destination IP is a bit pointless, since the packets have got to the host, chances are they have the hosts IP as the packets destination IP. Normally one would use a rule such as
This would allow anything coming from the 10.0.0.0/24 subnet, and drop everything else. In the case of a public webserver, you would omit the -s match.

I try to think of iptables rules by breaking them down. Looking at the specific characteristics of the connections I want to allow
Lets take your ssh rule as an example.
iptables -A INPUT (append a rule to the end of the filter table, INPUT chain)
-d 10.0.0.xx (match packets with a destination IP 10.0.0.xx AND)
-p tcp --dport xxx (protocol: tcp, destination port xxx)
-j ACCEPT (this ones pretty obvious)

It is also worthwhile to enable logging, this is helpful for diagnosing problems.
Also using "watch" in conjunction with "iptables -nvL $chain" while generating a bunch of traffic using hping or nc and watching the byte/packet counters.

I really do recommend this link for a good description of how iptables works, with flowcharts and tables explaining the tables, and chains etc..
http://www.linuxhomenetworking.com/w...Using_iptables

I appreciate your time gentlemen. I'm headed to that site as soon as I hit my lunch break today fukawi. I'll try that code out later today Slackyman.

Fukawi1,
In particular which part of this script is causing all traffic to be blocked? From your response and the site you posted I gather that although its not necessary

iptables -A INPUT -d 10.0.0.26 -p tcp --dport80 -j ACCEPT

should let any traffic from any ip using port 80 go right on through to the host. Are you saying that if I put in the IP on a machine the packet has already arrived at it wont work? If it will work I am still having issues with not being able to reach this server from within the network.

To allow web traffic:To let the machine give response to the ping:
A request can be accepted in input but you have even to accept a response in output.

Slacky,

Will test at home. I did play around with the iptables on a test machine here at work and was successful in allowing / blocking ssh with no issue with the code i started with. I found the issues.

1. The ip address on the individual filters was wrong
2. The i needed a space between dport and the port.