I have a a VOIP PBX in a DMZ behind my firewall at home and I have been playing around with IPTABLES. I wanted certain ports like 80,443,5060-5065,and others to be open so that I can browse the net,have my VOIP phones work with my PBX and etc. Here is the strange part. From the CLI I can ping a domain via IP or name, download updates and install them via YUM and everythings works fine from the CLI. The minute I open up a web browser I cannot get to any website. I can see it making an attempt but I cannot get to any webpage for browsing! I can even dig umuc.edu or any other domain and get feedback! What could it be and can some one give me a sample iptable rule set for a SOHO DMZ setup?

how about port 53 for domain name server checks

not sure how you are using the net to post, heh heh

www.linuxhomenetworking.com

Yes, it could be a DNS issue. Can you point your browser at a site by IP address (i.e., resolve the name manually outside of the browser)?
I've run tcpdump on port 53 (UDP, but you can leave that unspecified) to see DNS requests and replies. (The issue I had to debug was that my router sometimes didn't pass the replies back in.)

I cannot get to a website via http. I do not understand how I can ping a website the name, ex. linuxquestions.org or google.com via the CLI and get a reply and when I go to the browser nothing. If DNS was the issue then how am I able to get a reply via the CLI by name:

[example@test ~]$ ping google.com
PING google.com (64.233.167.99) 56(84) bytes of data.
64 bytes from py-in-f99.google.com (64.233.167.99): icmp_seq=1 ttl=235 time=44.8 ms
64 bytes from py-in-f99.google.com (64.233.167.99): icmp_seq=2 ttl=235 time=45.2 ms
64 bytes from py-in-f99.google.com (64.233.167.99): icmp_seq=3 ttl=235 time=45.3 ms

--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 44.844/45.156/45.356/0.283 ms

I am have trouble believing that it is DNS!

Sounds like ping can resolve names no problem. To confirm that DNS is not the issue with the browser, you could paste http://64.233.167.99/ into the browser.

In the usual lingo, you only need ports 80 and 443 open (i.e., accepting connections from the internet) if you run a web server. They don't need to be "open" to browse the net. The typical iptables setup accepts any connection initiated from inside, and the reply packets from the website are allowed in because they're related to the connection established by your browser. That's not to say that other configurations aren't possible -- some companies limit what outgoing connections their employees may establish.

Ironically my main firewall went down and I ended up replacing the machine and rebuilding my firewall and all is fine. I used the same firewall script that was on the other firewall and made some adjustments and it works fine. I must have had something on the VOIP server that wasnt routing correctly. Many thanks!