I have been trying to set up iptables on my dedicated server, both through Webmin and manually. It doesn't seem to matter which way I choose, when I apply the configuration, all ports (tcp and udp) get blocked. The last time I tried it, they stayed open for a while and then closed. Even before they all get blocked, I cannot reach any of the sites on the virtual servers I have set up.

Any ideas what might cause this?

In case it has any bearing on it, I have a friend running his server as a slave server to mine.

IPtables look like this:

Generated by iptables-save v1.3.6 on Mon Oct 20 04:52:57 2008
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Mon Oct 20 04:52:57 2008
# Generated by iptables-save v1.3.6 on Mon Oct 20 04:52:57 2008
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Oct 20 04:52:57 2008
# Generated by iptables-save v1.3.6 on Mon Oct 20 04:52:57 2008
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport xx -j ACCEPT
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Respond to pings
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Allow connections to webserver
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Allow SSL connections to webserver
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# Allow connections to mail server
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# Allow connections to FTP server
-A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
# Allow connections to POP3 server
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
# Allow connections to IMAP server
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
# Allow connections to Webmin
-A INPUT -p tcp -m tcp --dport 10000:10010 -j ACCEPT
# Allow connections to Usermin
-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
# global TS
-A INPUT -p tcp -m tcp -i eth0 --dport 51234 -j ACCEPT
# global TS
-A INPUT -p tcp -m tcp -i eth0 --dport 14534 -j ACCEPT
# global TS
-A INPUT -p udp -m udp -i eth0 --dport 51234 -j ACCEPT
# global TS
-A INPUT -p udp -m udp -i eth0 --dport 14534 -j ACCEPT
# fsd1
-A INPUT -p tcp -m tcp -i eth0 --dport 6809 -j ACCEPT
# fsd2
-A INPUT -p tcp -m tcp -i eth0 --dport 3011 -j ACCEPT
# fsd3
-A INPUT -p tcp -m tcp -i eth0 --dport 3012 -j ACCEPT
# ts3
-A INPUT -p udp -m udp -i eth0 --dport 8767 -j ACCEPT
# bind
-A INPUT -p udp -m udp -s 206.104.21.214 --dport 53 -j ACCEPT
# bind2
-A INPUT -p udp -m udp --dport 953 -j ACCEPT
# bind2
-A INPUT -p tcp -m tcp --dport 953 -j ACCEPT
# bind
-A INPUT -p tcp -m tcp -s 206.104.21.214 --dport 53 -j ACCEPT
COMMIT
# Completed on Mon Oct 20 04:52:57 2008

The only thing I noticed if it was not intentional or by mistake is this line:

Which doesn't have a # in front of it. If this line isn't commented out with an #, it will bomb out your iptables script most likely.

Good catch, but that happened during copy/paste ops.

That's what I figured, just wanted to make for sure.

So when this is run, you blocked from everything on every port I take it? What do you get with the iptables -L output to view existing and running rules? If you flush with the -F, can you then connect? There's no other firewalls preventing connections?

You could also do the painstakingly process of running each one individually in order to see when it stops accepting connections to the server.

Before about an hour ago, I was blocked out completely. Jason, at Sector Link, reset my resolver so I can now get in with the IP addy, but none of the domain names resolve unless and until I set the filter chain policy to ACCEPT. As soon as I set it back to DROP, domains go away.

I am logging everything and looking at the logs, but I see nothing unusual in any of them either way the policy is set.

Solved it. If you'll notice, I was restricting udp port 53 to my own IP. Duh!

Heh, I overlooked it. I wasn't focusing on you getting to the server by domain with DNS. But yeah, restricting DNS to the actual servers IP address will block that type of access.