thanks for the directions... still got nuthin. also i can't ftp out. it'll auth, but can't push a file. can't VNC over 5900 either. if i change the ipaddress (all are static) to within a certain range at least internet works.
here's iptables:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:8009
DROP tcp -- anywhere anywhere tcp dpt:http-alt
DROP tcp -- anywhere anywhere tcp dpt:webcache
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:squid state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:auth state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
LOG udp -- anywhere anywhere udp dpt:ntalk LOG level warning
DROP udp -- anywhere anywhere udp dpt:ntalk
LOG udp -- anywhere anywhere udp dpt:talk LOG level warning
DROP udp -- anywhere anywhere udp dpt:talk
LOG udp -- anywhere anywhere udp dpt:syslog LOG level warning
DROP udp -- anywhere anywhere udp dpt:syslog
LOG udp -- anywhere anywhere udp dpt:xdmcp LOG level warning
DROP udp -- anywhere anywhere udp dpt:xdmcp
LOG tcp -- anywhere anywhere state INVALID,NEW LOG level warning
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp dpt:455
DROP tcp -- anywhere anywhere tcp dpt:netbios-ns
DROP tcp -- anywhere anywhere tcp dpt:netbios-dgm
DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:socks
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds
DROP tcp -- anywhere anywhere state NEW tcp dpt:22 recent: UPDATE seconds: 15 name: DEFAULT side: source
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:22 recent: SET name: DEFAULT side: source
ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW
DROP tcp -- anywhere anywhere tcp dpt
op3 state INVALID
ACCEPT tcp -- anywhere anywhere tcp dpt
op3 state NEW,ESTABLISHED
DROP tcp -- anywhere anywhere tcp dpt
op3s state INVALID
DROP tcp -- anywhere anywhere tcp dpt
op3s state NEW,ESTABLISHED
DROP udp -- anywhere anywhere udp dpt:1026
DROP tcp -- anywhere anywhere tcp dpt:mysql
DROP tcp -- anywhere anywhere tcp dpt:ms-sql-s
DROP tcp -- anywhere anywhere tcp dpt:ircd
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere print-server tcp dpt:5900
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp spt:netbios-ns LOG level warning
DROP tcp -- anywhere anywhere tcp spt:netbios-ns
LOG tcp -- anywhere anywhere tcp spt:netbios-dgm LOG level warning
DROP tcp -- anywhere anywhere tcp spt:netbios-dgm
LOG tcp -- anywhere anywhere tcp spt:netbios-ssn LOG level warning
DROP tcp -- anywhere anywhere tcp spt:netbios-ssn
heres squid:
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl home_network src 192.168.10.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow home_network
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_reply_access allow home_network
icp_access allow home_network
miss_access allow home_network
reply_body_max_size 0 allow home_network
visible_hostname zgarch_serv
snmp_access deny !home_network
coredump_dir /var/spool/squid
here's route from a working box:
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0e a6 1b ff e7 ...... Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.10 192.168.10.18 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.10.0 255.255.255.0 192.168.10.18 192.168.10.18 20
192.168.10.18 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.10.255 255.255.255.255 192.168.10.18 192.168.10.18 20
224.0.0.0 240.0.0.0 192.168.10.18 192.168.10.18 20
255.255.255.255 255.255.255.255 192.168.10.18 192.168.10.18 1
Default Gateway: 192.168.10.10
===========================================================================
Persistent Routes:
None
and a non-working box:
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 c0 f0 7a cf e9 ...... Kingston EtherRx KNE111TX PCI Fast Ethernet Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.10 192.168.10.19 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.10.0 255.255.255.0 192.168.10.19 192.168.10.19 20
192.168.10.19 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.10.255 255.255.255.255 192.168.10.19 192.168.10.19 20
224.0.0.0 240.0.0.0 192.168.10.19 192.168.10.19 20
255.255.255.255 255.255.255.255 192.168.10.19 192.168.10.19 1
Default Gateway: 192.168.10.10
===========================================================================
Persistent Routes:
None