Hi, this is a simple firewall for a single machine connected to internet. Unfortunately, it doesn't work (nothing works when rc.firewall start). Changing default policy for INPUT to ACCEPT works but then it's not protected, right? What am I doing wrong?

-----

#!/bin/bash

# My firewall script - Max
# using iptables

#iptables options:
# -A append to the type of chain: INPUT, OUTPUT or FORWARD
# -s source of packet: DNS or IP address (with INPUT)
# -j what to do: ACCEPT, DENY or DROP
# -d destination of packet (with OUTPUT)
# -p protocol: tcp
# --destination-port: telnet
# -F flush all
# --syn syn packet, packet sent when establishing connection (you want to drop these, when incoming)

case $1 in
start)
# flush all rules first:
iptables -F; iptables -t nat -F; iptables -t mangle -F;
# do not accept any services on my computer
iptables -A INPUT -p tcp --syn -j DROP
# only accept established and related connections
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
# default policy: drop
iptables -P INPUT DROP
#don't forward anything
iptables -P FORWARD DROP
#allow output
iptables -P OUTPUT ACCEPT
;;
stop)
echo "WARNING: Firewall DOWN!"
iptables -F;
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
;;
*)
echo "Usage: $0 start|stop"
;;

esac

#end firewall

you need to exempt the local interface (lo) from your firewall rules

iptables -A INPUT -i lo -j ACCEPT and
iptables -A OUTPUT -o lo -j ACCEPT

immediately after your iptables -F

It turns out that this line was the problem:

# only accept established and related connections
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

Getting rid of "-p tcp" fixed the problem (I don't understand why, I just tryed everything).

ACCEPTing from lo allowed me to ping myself which is good

---
Thank you,
Maksim Sipos