Well, here is the setup... I have a RH8 box running apache and bind. It is working as a both www server and dns server. now, here is my static ip.. 202.202.202.202
1) I want to deny all incoming requests.

2) I want to accept incomings from any addr to my ip (eth0) on port 80, so that people can browse sites from this machine.

3) I want to accept incomings for the DNS. I mean since this is a DNS server, it gives repplies to ppl for the zones it have. And also if will give reply for the zones it doesn't have by resolving the addrs.(I think here we can free the outgoing so dns will ask for addrs. And only accepted ins so it'll reply for ppls query (no matter whether it is in the server or not).)

4) I will allow all ICMP to come in and out.

Now what is the possible script could be?? Note that this machine is not a NAT.

Mishu~~

sounds simple to me. 1) deny all from input, 2) accept certain types of connections. you just need to read

especially the sections that contain information about --in-interface or --dport or --source or --destination and so on. denying everything except for the special rules:

/sbin/iptables -P INPUT DROP

then just list the connections you do want to pass through, like:

/sbin/iptables -A INPUT --destination 202.202.202.202 --in-interface eth0 -j ACCEPT

that would accept everything that's coming in from eth0 to the address 202.202.202.202; you could also add -dport <portnumber> to specify the destination port, etc..that's all explained very well in iptables' manpages, and at iptables.org

okk... here it is..
i tried using -P INPUT DROP and it brouht me a horrible thing. i'm changing this to this....

iptables -A INPUT -s 0/0 -d 202.202.202.202 -i eth0 -j DROP
iptables -A INPUT -s 0/0 -d 202.202.202.202 -dport 80 -j ACCEPT
iptables -A INPUT -s 0/0 -d 202.202.202.202 -dport 53 -j ACCEPT

Will this work so ppl can reach me only using port 80 (www) and to get dns resolved from me?? Note: I will also resolve DNS from others so 53 in-out for DNS right?? Now, is this that i've given or

iptables -A INPUT -s 0/0 -d 202.202.202.202 -dport 80 -j ACCEPT
iptables -A INPUT -s 0/0 -d 202.202.202.202 -dport 53 -j ACCEPT
iptables -A INPUT -s 0/0 -d 202.202.202.202 -i eth0 -j DROP

This one?? Which one will first block all then allow limited??

you don't wanna do that with rules... you wanna set your policy to DROP, and then that way only packets matching your ACCEPT rules will be allowed... it's a very bad idea to use rules instead of policy... the policies were created for a reason...

here, execute this script and you should be set... the script will first flush-out any rules you might have in your chains, and then it basically sets your INPUT policy to DROP while adding ACCEPT rules for HTTP/DNS/PINGs, like what you've said you need:

once the script has been executed and you've tested it works fine, you can proceed to do an "iptables-save" to make the change permanent...

make sure you have forwarding disabled in your /etc/sysctl.conf:

is for default policy to drop all. that's okk.. then
For ?? I mean i just want to know and to be clear.. I'm puzzled
If I do this, then 80 and 53 will come in to me.. okk.. now if i also want go go out using 53 and 80, then also okk I think. Right?? But I found after this, 53 out is not working. I think 53udp is used to send the requests and the ans comes with another port... is it??

if i use only ICMP and donot mention any type, all icmps will work right?? then after the answears and clarifications, i can proceed...
But thanks for your works for me.

- the ESTABLISHED,RELATED rule is to accept packets which are part of an existing connection, or a connection directly related to it...

http://wiki.linuxquestions.org/wiki/Iptables

- yes, if you don't specify the icmp type then all types will be allowed...

- yes, all outgoing packets are allowed, because the OUTPUT policy is set to ACCEPT...

- i don't know why your dns isn't working... if you think it's because of the firewall then just add a LOG rule to the end of the INPUT chain and it will log anything that goes to DROP because of the policy... you can then post the logged lines here to get feedback...
you can monitor you log file in a terminal while the problem occurs with a: