LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-12-2004, 03:55 AM   #1
rootking
Member
 
Registered: Sep 2002
Distribution: FreeBSD
Posts: 70

Rep: Reputation: 15
Question IPTables Scripts Won't allow Firewall Internet Access


Here's a script I'm using to create some tables which will only allow in on ports I'm running services. One of the problems I'm havng is that I can't ping the Internet with a DNS address from this machine. I've allowed everything in the OUTPUT table and can ping the Internet when using a straight IP, but when I type in "ping google.com" the machine hangs for a few seconds and gives me a server request error. I know it's something with my rules because when I flush them all I can ping google.com just fine. Any ideas would be greatly appreciated. I'm guessing it's something trivial but can't put my finger on it yet.

thanks

#!/bin/bash
########## Beginning ###########################################################

# Define Interfaces/Networks

# Inside/Intranet Interface
INSIDEIP="192.168.7.55"
INSIDEINT="eth0"

# External/Internet Interface # OUTSIDEIP=
# OUTSIDEINT=

# LAN Network
LAN="192.168.7.0/24"

# Admin Host
ADMIN="192.168.7.51"

# Define other Variables

RULE="/usr/sbin/iptables"

# Flushing All rules/chains
$RULE -A INPUT LOG
$RULE -A OUTPUT LOG
$RULE -A FORWARD LOG
$RULE -P INPUT DROP
$RULE -P OUTPUT DROP
$RULE -P FORWARD DROP
$RULE -F INPUT
$RULE -F OUTPUT
$RULE -F FORWARD

# Adding Permittable Network/Hosts/Ports to Input Table on Internal Interface

# Allowing DNS,FTP,SSH,Webmin,HTTP,SWAT,and Samba to Server

$RULE -A INPUT -i $INSIDEINT --proto icmp --icmp-type any -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp --dport 21 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp -s $ADMIN --dport 22 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp --dport 53 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp --dport 80 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp --dport 137 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp --dport 138 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp --dport 139 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp --dport 445 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp -s $ADMIN --dport 901 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp -s $ADMIN --dport 10000 -d $INSIDEIP -j ACCEPT

# Denying Everything on Local Network

# Adding entry to allow everything originating from Internal Interface out
$RULE -A OUTPUT -j ACCEPT

########## END ################################################################
 
Old 09-12-2004, 06:43 AM   #2
bijay
LQ Newbie
 
Registered: Jan 2003
Location: Nepal
Distribution: Redhat
Posts: 11

Rep: Reputation: 0
Hello,

Please add the following in rule in your existing script.

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
Old 09-12-2004, 01:34 PM   #3
rootking
Member
 
Registered: Sep 2002
Distribution: FreeBSD
Posts: 70

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by bijay
Hello,

Please add the following in rule in your existing script.

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
yep that did it, thanks a lot
 
Old 09-12-2004, 03:50 PM   #4
scottman
Member
 
Registered: Jul 2004
Location: USA
Distribution: Slackware, FreeBSD, LFS
Posts: 72

Rep: Reputation: 15
If your still having problems you may want to allow
UDP 53.

iptables -A INPUT -p udp --sport 53 -j ACCEPT

would do the trick. This should allow DNS traffic
over UDP protocol. I read somewhere that udp 53
is more for queries, and tcp 53 is more for zone transfers,
but I may be mistaken
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
firewall: prevent some applications access internet alesz Fedora 2 07-12-2005 09:54 AM
Unable to access internet after setting Firewall? novkhan Linux - Networking 1 04-26-2004 12:50 PM
linux squid and iptables for secure lan for internet access. pune_abhishek Linux - Networking 4 11-30-2003 08:20 PM
iptables internet to firewall problem. remigus Linux - Networking 2 09-29-2003 02:27 PM
Access my box from internet ? CISCO + firewall johnecobo Linux - Security 1 12-11-2002 04:59 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:30 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration