From: "Gilles Yue" <gyue@novelgmt.intnet.mu>
To: "Leonardo Rodrigues Magalhães" <leolistas@solutti.com.br>
Cc: netfilter@lists.netfilter.org
Subject: RE: Help on IPTABLES
Date: Mon, 13 Oct 2003 16:09:20 +0400 [thread overview]
Message-ID: <83055D4B014C9E478D2F04624B9E82CFD475@noveldc.novelgmt.mu> (raw)
[-- Attachment #1: Type: text/plain, Size: 5305 bytes --]
Dear Leonardo,
Thanks for your reply.
I've just allowed port 53/443 as well. Still cannot browse. Do u think it's got something to do with the routing of my two network cards.
When I change my INPUT chain to accept all, browsing works. (Note I am talking about browsing on the host where iptables has been installed)
Or do I have to insert a new rule to enable NAT. Below is my chain rules. Thanks for replying.
gilles
Chain INPUT (policy DROP)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Lokkit-0-50-INPUT (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpts:0:1023 flags:0x16/0x02 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049
flags:0x16/0x02 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpts:0:1023 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2049
reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpts:6000:6009 flags:0x16/0x02 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7100
flags:0x16/0x02 reject-with icmp-port-unreachable
-----Original Message-----
From: Leonardo Rodrigues Magalhães [mailto:leolistas@solutti.com.br]
Sent: Saturday, October 11, 2003 6:33 PM
To: info; netfilter@lists.netfilter.org
Subject: Re: Help on IPTABLES
You'll probably browse with no problems if you use IP addresses. If you try to browse using names (www.something.com), you'll need to do a DNS request for the IP of that hostname. The request will go out with no problems, as OUTPUT is ACCEPT. But DNS reply will be blocked, as INPUT only allows port 80 traffic.
For allowing web browsing ONLY, you'll have to allow AT LEAST packets with source port 53 (TCP and UDP - almost all will be UDP but TCP can be also used). Dont forget HTTPS too, which is port 443.
You should also analyse the RH-Lokkit-0-50-INPUT chain. As packets are getting to this chain BEFORE reaching your rules, if something gets blocked there, it will NEVER reach YOUR rules.
For static rules, you can create them on /etc/rc.d/rc.local. This file will be executed after ALL daemons got UP on the reboot process.
Sincerily,
Leonardo Rodrigues
----- Original Message -----
From: info <mailto:info@novelgmt.intnet.mu>
To: netfilter@lists.netfilter.org
Sent: Thursday, October 09, 2003 9:20 AM
Subject: Help on IPTABLES
hi all,
Can somebody explain to me why is when i changed my Chain INPUT Rules from ACCEPT to DROP, i cannot browse the internet despite opening port 80 in the INPUT rule.
However, when Chain INPUT is changed to ACCEPT, browsing the internet works fine. (Note: CHAIN Output is accept for ALL)
The configurations on my IPTABLES are as follows
Chain INPUT (policy DROP)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT udp -- anywhere anywhere udp spt:http
Note that my OUTPUT Rules are as follows:
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I have two network cards installed on my pc - running Red Hat 9.0
Routing for static routes are follows:
xx.yy.zz.aa 0.0.0.0 255.255.255.0 U 0 0 0 eth0
xx.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 zz.zz.zz.zz 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 zz.zz.zz.zz 0.0.0.0 UG 0 0 0 eth1
where zz.zz.zz.zz is my gateway to the internet.
eth0 - Interface with local address
eth1 - Interface with Internet address.
By the way, is there a way to save static routes because when i reboot my pc, all routes are lost.
Thanks for any help.
guy
[-- Attachment #2: Type: text/html, Size: 20029 bytes --]
next reply other threads:[~2003-10-13 12:09 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-10-13 12:09 Gilles Yue [this message]
2003-10-13 13:23 ` Help on IPTABLES Ralf Spenneberg
-- strict thread matches above, loose matches on Subject: below --
2006-12-16 17:04 Help on Iptables wlagmay
2006-12-16 19:20 ` Pascal Hambourg
2006-12-17 12:08 ` wlagmay
2003-10-14 12:50 Help on IPTABLES Gilles Yue
2003-10-10 6:43 Gilles Yue
2003-10-09 12:24 Gilles Yue
2003-10-09 13:54 ` Rob Sterenborg
2003-10-14 6:59 ` Joel Newkirk
2003-10-09 12:20 info
2003-10-11 14:32 ` Leonardo Rodrigues Magalhães
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=83055D4B014C9E478D2F04624B9E82CFD475@noveldc.novelgmt.mu \
--to=gyue@novelgmt.intnet.mu \
--cc=leolistas@solutti.com.br \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.