I don't see anything in this that would treat the XP box differently from any of the others. A possibility: Maybe something on the XP box is preventing you from accessing certain ports.
No, the more I think about it, that doesn't make much sense, but it brings up a point that needs clarifying. What do you mean when you say "can't access ports below 1024"? Are you trying to do things like telnet and ftp? If so, double-check your hosts.allow. It might not be the firewall preventing you from getting in.
I did see something else that worried me about your firewall script, though.
Quote:
# Set input, forward policies to DROP everything
# and flush existing rules
#
/sbin/iptables -P INPUT DROP
/sbin/iptables -F INPUT
/sbin/iptables -P FORWARD DROP
#we want to allow everything out
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F OUTPUT
#########################
|
Unless things changed drastically between ipchains and iptables, flushing a chain/table (iptables -F xxx) wipes out everything that was done before on that table, and the default setting is "accept". So if you have your flush (-F input) AFTER your policy (-P input DROP), it's going to get wiped out.
All of that becomes moot in this case, though, because of what you have below:
Quote:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s 192.168.0.1/24 -o eth1 -j MASQUERADE
|
This is setting your policy to ACCEPT, and you don't have any DENY rules, so effectively, you have no firewall at all.
If this is the firewall script you were using to test the XP box, I can almost guarantee that your problem is not the firewall, because this script effectively turned it off. (ACCEPT on everything is the "turned off" state.)
Do an "iptables -nL" to double-check my logic, but if you don't see any DROP rules, you might as well just shut the firewall off. It's not doing you any good.
I would recommend setting each chain/table up this way:
iptables -F INPUT
iptables -P INPUT DROP
iptables -A INPUT ~~~~~ (rule 1) ~~~~~~~
iptables -A INPUT ~~~~~ (rule 2) ~~~~~~~
and so on.
An input policy of "DROP" is a major pain in the butt (believe me, I know!), but if you use a policy of ACCEPT, then you have to depend on getting every DROP that you need right, or else there's a hole in your armor. I don't know about you, but I stopped being perfect years ago.
Good luck,
CHL