* Help on IPTABLES
@ 2003-10-09 12:20 info
2003-10-11 14:32 ` Leonardo Rodrigues Magalhães
0 siblings, 1 reply; 12+ messages in thread
From: info @ 2003-10-09 12:20 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 1556 bytes --]
hi all,
Can somebody explain to me why is when i changed my Chain INPUT Rules
from ACCEPT to DROP, i cannot browse the internet despite opening port
80 in the INPUT rule.
However, when Chain INPUT is changed to ACCEPT, browsing the internet
works fine. (Note: CHAIN Output is accept for ALL)
The configurations on my IPTABLES are as follows
_*Chain INPUT (policy DROP)*_
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT udp -- anywhere anywhere udp spt:http
Note that my OUTPUT Rules are as follows:
_*Chain OUTPUT (policy ACCEPT)*_
target prot opt source destination
I have two network cards installed on my pc - running Red Hat 9.0
Routing for static routes are follows:
xx.yy.zz.aa 0.0.0.0 255.255.255.0 U 0
0 0 eth0
xx.0.0.0 0.0.0.0 255.0.0.0 U 0
0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0
0 0 lo
0.0.0.0 zz.zz.zz.zz 0.0.0.0 UG 0
0 0 eth0
0.0.0.0 zz.zz.zz.zz 0.0.0.0 UG 0
0 0 eth1
where zz.zz.zz.zz is my gateway to the internet.
eth0 - Interface with local address
eth1 - Interface with Internet address.
By the way, is there a way to save static routes because when i reboot
my pc, all routes are lost.
Thanks for any help.
guy
[-- Attachment #2: Type: text/html, Size: 3484 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Help on IPTABLES
2003-10-09 12:20 Help on IPTABLES info
@ 2003-10-11 14:32 ` Leonardo Rodrigues Magalhães
0 siblings, 0 replies; 12+ messages in thread
From: Leonardo Rodrigues Magalhães @ 2003-10-11 14:32 UTC (permalink / raw)
To: info, netfilter
[-- Attachment #1: Type: text/plain, Size: 2695 bytes --]
You'll probably browse with no problems if you use IP addresses. If you try to browse using names (www.something.com), you'll need to do a DNS request for the IP of that hostname. The request will go out with no problems, as OUTPUT is ACCEPT. But DNS reply will be blocked, as INPUT only allows port 80 traffic.
For allowing web browsing ONLY, you'll have to allow AT LEAST packets with source port 53 (TCP and UDP - almost all will be UDP but TCP can be also used). Dont forget HTTPS too, which is port 443.
You should also analyse the RH-Lokkit-0-50-INPUT chain. As packets are getting to this chain BEFORE reaching your rules, if something gets blocked there, it will NEVER reach YOUR rules.
For static rules, you can create them on /etc/rc.d/rc.local. This file will be executed after ALL daemons got UP on the reboot process.
Sincerily,
Leonardo Rodrigues
----- Original Message -----
From: info
To: netfilter@lists.netfilter.org
Sent: Thursday, October 09, 2003 9:20 AM
Subject: Help on IPTABLES
hi all,
Can somebody explain to me why is when i changed my Chain INPUT Rules from ACCEPT to DROP, i cannot browse the internet despite opening port 80 in the INPUT rule.
However, when Chain INPUT is changed to ACCEPT, browsing the internet works fine. (Note: CHAIN Output is accept for ALL)
The configurations on my IPTABLES are as follows
Chain INPUT (policy DROP)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT udp -- anywhere anywhere udp spt:http
Note that my OUTPUT Rules are as follows:
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I have two network cards installed on my pc - running Red Hat 9.0
Routing for static routes are follows:
xx.yy.zz.aa 0.0.0.0 255.255.255.0 U 0 0 0 eth0
xx.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 zz.zz.zz.zz 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 zz.zz.zz.zz 0.0.0.0 UG 0 0 0 eth1
where zz.zz.zz.zz is my gateway to the internet.
eth0 - Interface with local address
eth1 - Interface with Internet address.
By the way, is there a way to save static routes because when i reboot my pc, all routes are lost.
Thanks for any help.
guy
[-- Attachment #2: Type: text/html, Size: 6162 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Help on Iptables
2006-12-16 19:20 ` Pascal Hambourg
@ 2006-12-17 12:08 ` wlagmay
0 siblings, 0 replies; 12+ messages in thread
From: wlagmay @ 2006-12-17 12:08 UTC (permalink / raw)
To: Pascal Hambourg; +Cc: netfilter
Thanks Pascal, anyway maybe you can help me with my other problem, I already
post it but up to now I don't have any reply so I'm just thinking that you
might help me.
You see I'm using "SAME" for my Network Address translation. example
-A POSTROUTING -s 192.168.64.0/255.255.224.0 -j SAME --nodst --to
212.xxx.xxx.9-212.xxx.xxx.14
My question is, how can I log and trace which private IP is using a certain
public IP a any given time and date.
example let say, somebody is complaining that there is a network flood or attack
coming form 212.xxx.xxx.14, so in order for me to trace which machine is making
the flood I should know whick private IP address is using 212.xxx.xxx.14 at
that given time.
Thank you very much and I hope that you can help me.
Wennie
Quoting Pascal Hambourg <pascal.mail@plouf.fr.eu.org>:
> Hello,
>
> wlagmay@yanbulink.net a écrit :
> >
> > I just want to know How am I going to do a blocking of multiple ports on a
> > single line let say port 700 to 800.
> >
> > Im trying this command but it is not working
> >
> > iptables -A OUTPUT -p tcp -m state --state NEW -m tcp --dport 700-800 -j
> DROP
> > iptables -A OUTPUT -p tcp -m state --state NEW -m tcp --dport 700 --to 800
> -j
> > DROP
>
> man iptables says the port range syntax in port matches is "700:800".
> The port range syntax "700-800" is used only in NAT targets.
>
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Help on Iptables
2006-12-16 17:04 Help on Iptables wlagmay
@ 2006-12-16 19:20 ` Pascal Hambourg
2006-12-17 12:08 ` wlagmay
0 siblings, 1 reply; 12+ messages in thread
From: Pascal Hambourg @ 2006-12-16 19:20 UTC (permalink / raw)
To: netfilter
Hello,
wlagmay@yanbulink.net a écrit :
>
> I just want to know How am I going to do a blocking of multiple ports on a
> single line let say port 700 to 800.
>
> Im trying this command but it is not working
>
> iptables -A OUTPUT -p tcp -m state --state NEW -m tcp --dport 700-800 -j DROP
> iptables -A OUTPUT -p tcp -m state --state NEW -m tcp --dport 700 --to 800 -j
> DROP
man iptables says the port range syntax in port matches is "700:800".
The port range syntax "700-800" is used only in NAT targets.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Help on Iptables
@ 2006-12-16 17:04 wlagmay
2006-12-16 19:20 ` Pascal Hambourg
0 siblings, 1 reply; 12+ messages in thread
From: wlagmay @ 2006-12-16 17:04 UTC (permalink / raw)
To: netfilter
Hi all,
I just want to know How am I going to do a blocking of multiple ports on a
single line let say port 700 to 800.
Im trying this command but it is not working
iptables -A OUTPUT -p tcp -m state --state NEW -m tcp --dport 700-800 -j DROP
iptables -A OUTPUT -p tcp -m state --state NEW -m tcp --dport 700 --to 800 -j
DROP
I'm trying the above commands and its not working. Can you help me please?
Thanks,
Wennie
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Help on IPTABLES
@ 2003-10-14 12:50 Gilles Yue
0 siblings, 0 replies; 12+ messages in thread
From: Gilles Yue @ 2003-10-14 12:50 UTC (permalink / raw)
To: Joel Newkirk; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 2017 bytes --]
Dear Joel,
Browsing is working now. I have removed all chains in output and forward
and starting with INPUT rules first. (Juat like u told me)
But I am now trying to check my mail on the box with iptables installed.
Note I have opened ports 25 and 110 and tried with both sport and dport.
Connection with local mail server cannot be made. Did I miss something?
Sorry to bother you about those basic questions but I am VERY new to
iptables.
Thanks & Best Regards
gy
Chain INPUT (policy DROP 2858 packets, 315K bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:53
1 456 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:80
33 6571 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:110
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:25
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:25
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 664 packets, 67152 bytes)
pkts bytes target prot opt in out source
destination
[-- Attachment #2: Type: text/html, Size: 11293 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Help on IPTABLES
2003-10-09 12:24 Gilles Yue
2003-10-09 13:54 ` Rob Sterenborg
@ 2003-10-14 6:59 ` Joel Newkirk
1 sibling, 0 replies; 12+ messages in thread
From: Joel Newkirk @ 2003-10-14 6:59 UTC (permalink / raw)
To: Gilles Yue; +Cc: netfilter
On Thu, 2003-10-09 at 08:24, Gilles Yue wrote:
> Hi all,
>
> Can somebody explain to me why is when i changed my Chain INPUT Rules
> from ACCEPT to DROP, i cannot browse the internet despite opening port
> 80 in the INPUT rule.
> However, when Chain INPUT is changed to ACCEPT, browsing the internet
> works fine. (Note: CHAIN Output is accept for ALL)
Are you talking about the rule targets, or the chain policy, changing?
I'll assume you're talking about changing policy. OUTPUT lets
connections from this machine out. Fine. Input controls connections to
this machine, which you want to control. Find out what
RH-Lokkit-0-50-INPUT does, and consider ditching it. Add a stateful
rule:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
And now most connections you initiate are allowed back. (providing
something before this rule, like RH-Lokkit, doesn't drop it first)
> The configurations on my IPTABLES are as follows
>
> Chain INPUT (policy DROP)
> target prot opt source destination
> RH-Lokkit-0-50-INPUT all -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere tcp
> spt:http
> ACCEPT udp -- anywhere anywhere udp
> spt:http
>
> Note that my OUTPUT Rules are as follows:
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> I have two network cards installed on my pc - running Red Hat 9.0
If this box is 'sharing' the internet connection, you need to deal with
FORWARD chain rules and nat table rules as well...
> Routing for static routes are follows:
>
> xx.yy.zz.aa 0.0.0.0 255.255.255.0 U 0
> 0 0 eth0
> xx.0.0.0 0.0.0.0 255.0.0.0 U 0
> 0 0 eth1
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0
> 0 0 lo
> 0.0.0.0 zz.zz.zz.zz 0.0.0.0 UG 0
> 0 0 eth0
> 0.0.0.0 zz.zz.zz.zz 0.0.0.0 UG 0
> 0 0 eth1
>
> Where zz.zz.zz.zz is my gateway to the internet.
> eth0 - Interface with local address
> eth1 - Interface with Internet address.
OK. Question... Why is your internet gateway accessible via the local
interface?? Is it perhaps the default as well? Definitely an issue
there.
> By the way, is there a way to save static routes because when i reboot
> my pc, all routes are lost.
>
> Thanks for any help.
>
> gilles
BTW - dport80 on input would allow the internet to access a web server
at your IP, sport80 would allow HTTP replies back in. And L Rodrigues'
advice is also valid. (
Suggestions - leave OUTPUT chain empty with ACCEPT policy for now. Work
on getting INPUT back into the box working the way you want it. Then
transplant most of those rules to FORWARD to allow machines behind this
one to access the internet with similar restrictions. And try using
"iptables -vnL" to list rules - more useful information that way.
j
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* RE: Help on IPTABLES
2003-10-13 12:09 Gilles Yue
@ 2003-10-13 13:23 ` Ralf Spenneberg
0 siblings, 0 replies; 12+ messages in thread
From: Ralf Spenneberg @ 2003-10-13 13:23 UTC (permalink / raw)
To: Gilles Yue; +Cc: Netfilter
Am Mon, 2003-10-13 um 14.09 schrieb Gilles Yue:
> Chain INPUT (policy DROP)
>
> target prot opt source destination
>
> RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 0.0.0.0/0
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
When establishing a connection with a webserver the packets in the INPUT
chain are coming from the webserver port 80, therefore spt:80 not dpt:80
Same to the rest with the exception of DNS. Here you did it correct:
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53
By the way, you get more info on the rules using
iptables -vnL
Cheers,
Ralf
--
Ralf Spenneberg
RHCE, RHCX
Book: Intrusion Detection für Linux Server http://www.spenneberg.com
IPsec-Howto http://www.ipsec-howto.org
Honeynet Project Mirror: http://honeynet.spenneberg.org
^ permalink raw reply [flat|nested] 12+ messages in thread
* RE: Help on IPTABLES
@ 2003-10-13 12:09 Gilles Yue
2003-10-13 13:23 ` Ralf Spenneberg
0 siblings, 1 reply; 12+ messages in thread
From: Gilles Yue @ 2003-10-13 12:09 UTC (permalink / raw)
To: Leonardo Rodrigues Magalhães; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 5305 bytes --]
Dear Leonardo,
Thanks for your reply.
I've just allowed port 53/443 as well. Still cannot browse. Do u think it's got something to do with the routing of my two network cards.
When I change my INPUT chain to accept all, browsing works. (Note I am talking about browsing on the host where iptables has been installed)
Or do I have to insert a new rule to enable NAT. Below is my chain rules. Thanks for replying.
gilles
Chain INPUT (policy DROP)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Lokkit-0-50-INPUT (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpts:0:1023 flags:0x16/0x02 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049
flags:0x16/0x02 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpts:0:1023 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2049
reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpts:6000:6009 flags:0x16/0x02 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7100
flags:0x16/0x02 reject-with icmp-port-unreachable
-----Original Message-----
From: Leonardo Rodrigues Magalhães [mailto:leolistas@solutti.com.br]
Sent: Saturday, October 11, 2003 6:33 PM
To: info; netfilter@lists.netfilter.org
Subject: Re: Help on IPTABLES
You'll probably browse with no problems if you use IP addresses. If you try to browse using names (www.something.com), you'll need to do a DNS request for the IP of that hostname. The request will go out with no problems, as OUTPUT is ACCEPT. But DNS reply will be blocked, as INPUT only allows port 80 traffic.
For allowing web browsing ONLY, you'll have to allow AT LEAST packets with source port 53 (TCP and UDP - almost all will be UDP but TCP can be also used). Dont forget HTTPS too, which is port 443.
You should also analyse the RH-Lokkit-0-50-INPUT chain. As packets are getting to this chain BEFORE reaching your rules, if something gets blocked there, it will NEVER reach YOUR rules.
For static rules, you can create them on /etc/rc.d/rc.local. This file will be executed after ALL daemons got UP on the reboot process.
Sincerily,
Leonardo Rodrigues
----- Original Message -----
From: info <mailto:info@novelgmt.intnet.mu>
To: netfilter@lists.netfilter.org
Sent: Thursday, October 09, 2003 9:20 AM
Subject: Help on IPTABLES
hi all,
Can somebody explain to me why is when i changed my Chain INPUT Rules from ACCEPT to DROP, i cannot browse the internet despite opening port 80 in the INPUT rule.
However, when Chain INPUT is changed to ACCEPT, browsing the internet works fine. (Note: CHAIN Output is accept for ALL)
The configurations on my IPTABLES are as follows
Chain INPUT (policy DROP)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT udp -- anywhere anywhere udp spt:http
Note that my OUTPUT Rules are as follows:
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I have two network cards installed on my pc - running Red Hat 9.0
Routing for static routes are follows:
xx.yy.zz.aa 0.0.0.0 255.255.255.0 U 0 0 0 eth0
xx.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 zz.zz.zz.zz 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 zz.zz.zz.zz 0.0.0.0 UG 0 0 0 eth1
where zz.zz.zz.zz is my gateway to the internet.
eth0 - Interface with local address
eth1 - Interface with Internet address.
By the way, is there a way to save static routes because when i reboot my pc, all routes are lost.
Thanks for any help.
guy
[-- Attachment #2: Type: text/html, Size: 20029 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* RE: Help on IPTABLES
@ 2003-10-10 6:43 Gilles Yue
0 siblings, 0 replies; 12+ messages in thread
From: Gilles Yue @ 2003-10-10 6:43 UTC (permalink / raw)
To: Rob Sterenborg, netfilter
[-- Attachment #1: Type: text/plain, Size: 3038 bytes --]
Hi Rob,
I have made changes just like you said. And I still I cannot browse!
Is there something wrong with my other chain rules or with the routing
with my network cards?(Note I have two network cards) Please help.
Thanks.
Chain INPUT (policy DROP)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Lokkit-0-50-INPUT (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpts:0:1023 flag s:0x16/0x02
reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049
flags:0 x16/0x02 reject-with
icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpts:0:1023 reje ct-with
icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2049
reject- with
icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpts:6000:6009 f
lags:0x16/0x02 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7100
flags:0 x16/0x02 reject-with
icmp-port-unreachable
-----Original Message-----
From: Rob Sterenborg [mailto:rob@sterenborg.info]
Sent: Thursday, October 09, 2003 5:55 PM
To: Gilles Yue; netfilter@lists.netfilter.org
Subject: RE: Help on IPTABLES
> Can somebody explain to me why is when i changed my Chain
> INPUT Rules from ACCEPT to DROP, i cannot browse the internet
> despite opening port 80 in the INPUT rule.
...
> Chain INPUT (policy DROP)
> target prot opt source destination
> RH-Lokkit-0-50-INPUT all -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere
> tcp spt:http
> ACCEPT udp -- anywhere anywhere
> udp spt:http
Because you used sport. You are trying to reach servers that are
*listening* on port 80/443 so you should use dport (destination = port
80/443). You are most likely not sending from port 80/443.
Gr,
Rob
[-- Attachment #2: Type: text/html, Size: 17764 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* RE: Help on IPTABLES
2003-10-09 12:24 Gilles Yue
@ 2003-10-09 13:54 ` Rob Sterenborg
2003-10-14 6:59 ` Joel Newkirk
1 sibling, 0 replies; 12+ messages in thread
From: Rob Sterenborg @ 2003-10-09 13:54 UTC (permalink / raw)
To: 'Gilles Yue', netfilter
> Can somebody explain to me why is when i changed my Chain
> INPUT Rules from ACCEPT to DROP, i cannot browse the internet
> despite opening port 80 in the INPUT rule.
...
> Chain INPUT (policy DROP)
> target prot opt source destination
> RH-Lokkit-0-50-INPUT all -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere
> tcp spt:http
> ACCEPT udp -- anywhere anywhere
> udp spt:http
Because you used sport. You are trying to reach servers that are
*listening* on port 80/443 so you should use dport (destination = port
80/443). You are most likely not sending from port 80/443.
Gr,
Rob
^ permalink raw reply [flat|nested] 12+ messages in thread
* Help on IPTABLES
@ 2003-10-09 12:24 Gilles Yue
2003-10-09 13:54 ` Rob Sterenborg
2003-10-14 6:59 ` Joel Newkirk
0 siblings, 2 replies; 12+ messages in thread
From: Gilles Yue @ 2003-10-09 12:24 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 1585 bytes --]
Hi all,
Can somebody explain to me why is when i changed my Chain INPUT Rules
from ACCEPT to DROP, i cannot browse the internet despite opening port
80 in the INPUT rule.
However, when Chain INPUT is changed to ACCEPT, browsing the internet
works fine. (Note: CHAIN Output is accept for ALL)
The configurations on my IPTABLES are as follows
Chain INPUT (policy DROP)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT udp -- anywhere anywhere udp spt:http
Note that my OUTPUT Rules are as follows:
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I have two network cards installed on my pc - running Red Hat 9.0
Routing for static routes are follows:
xx.yy.zz.aa 0.0.0.0 255.255.255.0 U 0 0
0 eth0
xx.0.0.0 0.0.0.0 255.0.0.0 U 0 0
0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
0 lo
0.0.0.0 zz.zz.zz.zz 0.0.0.0 UG 0 0
0 eth0
0.0.0.0 zz.zz.zz.zz 0.0.0.0 UG 0 0
0 eth1
Where zz.zz.zz.zz is my gateway to the internet.
eth0 - Interface with local address
eth1 - Interface with Internet address.
By the way, is there a way to save static routes because when i reboot
my pc, all routes are lost.
Thanks for any help.
gilles
_____
[-- Attachment #2: Type: text/html, Size: 5024 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2006-12-17 12:08 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-10-09 12:20 Help on IPTABLES info
2003-10-11 14:32 ` Leonardo Rodrigues Magalhães
2003-10-09 12:24 Gilles Yue
2003-10-09 13:54 ` Rob Sterenborg
2003-10-14 6:59 ` Joel Newkirk
2003-10-10 6:43 Gilles Yue
2003-10-13 12:09 Gilles Yue
2003-10-13 13:23 ` Ralf Spenneberg
2003-10-14 12:50 Gilles Yue
2006-12-16 17:04 Help on Iptables wlagmay
2006-12-16 19:20 ` Pascal Hambourg
2006-12-17 12:08 ` wlagmay
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.