I just wanted some help I'm sorry if I came off wrong

If this is just for a personal desktop... then try the following script:
This gives you a default "drop" policy so all ports are switched off by default. The rest makes sure nothing can get in unless you ask it to.

The above assumes you have a LAN giving boradband access via NAT Router/xDSL Modem. If you have dialup, then WEBFACE=ppp0 and the LAN entries can be deleted.

I think frostwire listens on port 6346 by default. If you want frostwire to accept packets on that port without you having to send anything out first, then you will want another input rule (put it after the ssh rule).

# Allow Frostwire to receive uninitiated packets
iptables -A INPUT -t tcp -i $WEBFACE -j ACCEPT -dport 6346

... something like that.
However, you will likely find that the above firewall will meet your needs as is.

You might need to load the state module as well since a rule is written for it.

You'd need the second rule (accept incoming packets on port 80) if you were running a web server. (Are you?) But it wouldn't get that far, because the first one would already have matched and rejected the packet. Same applies doubly for the last rule.

You could re-order to put the more specific rule first.

Quigi
thanks can you give me an example thanks

I'm not running a web server no and I'm on a wireless
and

Simon Bridge I dont know what your script is all about I got to look into it I saved it thank you


I just want to download music I don't want to shut off my firewall so I spent a few days learning iptables in witch is the best thing I have ever did and guard dog will not let me access frostwire even if I open the port locale and the internet I don't know what is going on their


opps look all fixed

http://www.linuxquestions.org/questi...d.php?t=365817

The example was from your configuration, which you since deleted.

As you're not running a web server, don't accept packets coming in to your box on port 80, i.e., just delete the two relevant rules. If you had a web server, you'd need to put the more specific rule further up, so it would get considered first:
I don't understand why you'd add an even more specific rule for interface eth0, with the same target.

That is a very complete firewall there. You are best to keep it simple - you won't want most of the stuff in that. For future, I'll explain the one I posted.

# mdh firewall
# jon (maddog) hall
... this was suggested to me by maddog. I guess it is GPL.

# Load appropriate modules
... probably not needed these days - makes sure the firewall works.

# Remove Existing Rules
... start with a clean slate so there are no rogue rules floating around we don't know about.

# Definitions
... this is so that you can change your machine and just edit a few lines. It is also good practise to put easy-to-understand labels on things so the rules will read clearer.

### Rules ###

# Set up default drop policy for all chains
... with everything set to drop by default, all the ports are closed. However, it means we have to specifically open ports we want to use.

# Allow unlimited traffic on the loopback interface
... The loopback interface (127.0.0.0) is needed for the different parts of the computer to talk to each other. Without this, the computer won't work.

# Allow initiated traffic in
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
... this is a stateful filter - it means that if we have asked for it already, we can get it. This way, ports get opened as we need them.

# Allow SSH Connections (Comment to disallow)
iptables -A INPUT -t tcp -j ACCEPT -dport 22
... This allows secure shell connections. You won't need this.

# Allow LAN traffic (but only from LAN)
iptables -A INPUT -i $LANFACE -s $MYNET -j ACCEPT
... My computer is on a 4-port switch (+router+dsl modem). Here, all hosts on the LAN are trusted. OK for a home LAN. If you don't have a LAN, you won't need this.

# Allow all traffic out
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
... since we can only receive what we ask for, this step lets us ask for anything. Since I trust myself, I let myself ask for whatever I like.

Now look how simple this is.

State filtering is very effective and more flexible that the simple on/off thing you were doing. So far the only thing to get through this firewall was Skype doing a file transfer (which found and used an "established" internet connection). If I hadn't opened that port, even skype wouldn't have got through.

How is this different from ACCEPT policy for chain OUTPUT? You drop outgoing packets with state INVALID. But can such packets actually occur?

/Quigi

It is functionally identical of course.

The only difference is what you do when you decide you want less permissive output filtering (i.e. any filtering at all).

The point of writing the script this way is to allow ease in customizing to different situations. It also teaches good habits, and makes the security plan follow a clear logical progression.

General rule: always set policy = drop for everything. Even if you go and just accept everything later: it means you have to explicitly and deliberately accept.

Similarly, I could have saved typing by using the actual device names instead of variable names. I didn't because this way allows me to write a clearer script which is more easily configurable.