On Wed, 27 Feb 2002, Steve Holmes wrote:

> OK, I can lynx to other sites and I can ping along as I use numeric ip
> addresses.  Here is the test firewall script I am currently using when I
> do this.  BTW, ports 53 (both udp and tcp) do not yield me any thing.  I
> use a regular name server at 24.221.30.3.
> ------------------
> #!/bin/sh
> # Firewall testing script
> 
> ipchains -P input DENY
> ipchains -P forward DENY
> ipchains -P output ACCEPT
> 
> ipchains -A forward -s 192.168.1.0/24 -i eth1 -j MASQ
> ipchains -A input -i lo -j ACCEPT
> ipchains -A input -i eth0 -j ACCEPT
> ipchains -A input -p tcp ! -y --dport 1024:65535 -j ACCEPT
> ipchains -A input -p icmp -j ACCEPT

AHA! I think I see your problem.
ipchains requires transversal of all three input, output, forward.
Add:
ipchains -A input -s 192.168.1.0/24 -i eth1 -j ACCEPT
ipchains -A output -s 192.168.1.0/24 -i eth1 -j ACCEPT
as well as for the other rules. I would be willing to bet that if you 
tried: ipchains -C input -p tcp -s $someip $someport -d $netinterface 
$someport -i eth1
on the CL it would return denied.




> 
> 
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 

-- 
Patrick Fleming, EA
Licensed to represent taxpayers
before Exam, Appeals, and Conference 
divisions of the IRS