Hi,

I 'm a new user of Linux. I just installed a Fedora 4 in my PC (with DNS, httpd service). I would like to set up my firewall with iptables.

My pc is a standalone to connect internet, however i cannot see the webpage after i setup my table (as below).

--------------------------------------------------------------------------------------
[root@localhost~]# iptables -L -n

Chain FORWARD (policy DROP)
target prot opt source destination


Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW,RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80 state NEW,RELATED,ESTABLISHED


Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination

---------------------------------------------------------------------------------------

So, what 's wrong of my setting? Any suggest?
Sorry for my stupid!

Thanks!

Where is your OUTPUT rule? You need to setup both INPUT and OUTPUT rule for iptables to work. Here is an example for httpd http://www.cyberciti.biz/nixcraft/vi...k-or-open.html and port 53 (DNS) http://www.cyberciti.biz/nixcraft/vi...k-or-open.html

Hope this helps

Hi,

Thanks for your help.

Just wondering why still need to setup the OUTPUT?
Because my OUTPUT table is:

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Is it assume all output packet can be go out?

Why i cannot go to any web page by browser. Am i make a mistake in my table?

Thanks!

Yeah, with no rules in OUTPUT and a default policy of ACCEPT it should allow all outgoing traffic.

Try adding a logging rule to the end of the INPUT chain and check your system logs to see what's getting dropped:
iptables -A INPUT -j LOG --log-prefix "INPUT DROPPED"

Offhand, I'd say you need a general rule in the INPUT chain to allow ESTABLISHED,RELATED connections:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

You are right about OUTPUT, but in the past I had same prob and since then I always add input and output rule to avoid problem and it works. So just try to add output

Hi nixcraft,

Thanks for your help.
I set the INPUT AND OUTPUT to DROP.
Could you kindly to let me know which port needs to make ACCEPT for the web browser? 80 only?

or can you let me know what is your iptables setting for my reference. (because i still have a problem).

Thanks!

I always had a doubt: if without rules in the iptables,the httpd works correctly,why add rules? the iptables block all the other doors but the 80 ?

Yup, port 80, 443 (if httpd-ssl) and then outgoing DNS are minimum