security policy iptables
 

i am running linux fc4, for internet shairing, i want to block all peer 2 peer softwares, but want to allow all http , ftp ,webcam.
so running squid, and nat using iptables.
query is that when i set FORWARD default policy to DROP, users (clients) are unable to connect yahoo messenger, but able to connect msn.
that is to block all kind of softwares. ,
so getting complaigns.
when i set default policy to ACCEPT of FORWARD Chain. no problem.

my rules related to yahoo. are

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 5000:50001 -j ACCEPT
iptables -A INPUT -p udp --dport 5000:50010 -j ACCEPT
iptables -A INPUT -p tcp --dport 5050 -j ACCEPT



iptables -A FORWARD -p tcp --dport 5000:50001 -j ACCEPT
iptables -A FORWARD -p udp --dport 5000:50010 -j ACCEPT
iptables -A FORWARD -p tcp --dport 5050 -j ACCEPT




any suggestion ?


thanks for help advance

yes:
1. you need not allow the ports into the INPUT chain, unless you want to use yahoo from the firewall itself, which i do not recomend.

2. it should be enough to allow ESTABLISHED,RELATED in the FORWARD chain, and allow the internal interface.
example: eth0 = external connetion, eth1 = internal connection
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
this will allow everything outgoing.
then you start closing things, and test, while you create new rules, so that you know which rules are causing trouble.

Thanks for help , i'll check this .
Take care
Bye