Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
09-12-2004, 03:55 AM
|
#1
|
Member
Registered: Sep 2002
Distribution: FreeBSD
Posts: 70
Rep:
|
IPTables Scripts Won't allow Firewall Internet Access
Here's a script I'm using to create some tables which will only allow in on ports I'm running services. One of the problems I'm havng is that I can't ping the Internet with a DNS address from this machine. I've allowed everything in the OUTPUT table and can ping the Internet when using a straight IP, but when I type in "ping google.com" the machine hangs for a few seconds and gives me a server request error. I know it's something with my rules because when I flush them all I can ping google.com just fine. Any ideas would be greatly appreciated. I'm guessing it's something trivial but can't put my finger on it yet.
thanks
#!/bin/bash
########## Beginning ###########################################################
# Define Interfaces/Networks
# Inside/Intranet Interface
INSIDEIP="192.168.7.55"
INSIDEINT="eth0"
# External/Internet Interface # OUTSIDEIP=
# OUTSIDEINT=
# LAN Network
LAN="192.168.7.0/24"
# Admin Host
ADMIN="192.168.7.51"
# Define other Variables
RULE="/usr/sbin/iptables"
# Flushing All rules/chains
$RULE -A INPUT LOG
$RULE -A OUTPUT LOG
$RULE -A FORWARD LOG
$RULE -P INPUT DROP
$RULE -P OUTPUT DROP
$RULE -P FORWARD DROP
$RULE -F INPUT
$RULE -F OUTPUT
$RULE -F FORWARD
# Adding Permittable Network/Hosts/Ports to Input Table on Internal Interface
# Allowing DNS,FTP,SSH,Webmin,HTTP,SWAT,and Samba to Server
$RULE -A INPUT -i $INSIDEINT --proto icmp --icmp-type any -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp --dport 21 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp -s $ADMIN --dport 22 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp --dport 53 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp --dport 80 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp --dport 137 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp --dport 138 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp --dport 139 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp --dport 445 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp -s $ADMIN --dport 901 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp -s $ADMIN --dport 10000 -d $INSIDEIP -j ACCEPT
# Denying Everything on Local Network
# Adding entry to allow everything originating from Internal Interface out
$RULE -A OUTPUT -j ACCEPT
########## END ################################################################
|
|
|
09-12-2004, 06:43 AM
|
#2
|
LQ Newbie
Registered: Jan 2003
Location: Nepal
Distribution: Redhat
Posts: 11
Rep:
|
Hello,
Please add the following in rule in your existing script.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
09-12-2004, 01:34 PM
|
#3
|
Member
Registered: Sep 2002
Distribution: FreeBSD
Posts: 70
Original Poster
Rep:
|
Quote:
Originally posted by bijay
Hello,
Please add the following in rule in your existing script.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
yep that did it, thanks a lot
|
|
|
09-12-2004, 03:50 PM
|
#4
|
Member
Registered: Jul 2004
Location: USA
Distribution: Slackware, FreeBSD, LFS
Posts: 72
Rep:
|
If your still having problems you may want to allow
UDP 53.
iptables -A INPUT -p udp --sport 53 -j ACCEPT
would do the trick. This should allow DNS traffic
over UDP protocol. I read somewhere that udp 53
is more for queries, and tcp 53 is more for zone transfers,
but I may be mistaken
|
|
|
All times are GMT -5. The time now is 02:30 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|