On Wed, 27 Feb 2002, Steve Holmes wrote:
> OK, I can lynx to other sites and I can ping along as I use numeric ip
> addresses. Here is the test firewall script I am currently using when I
> do this. BTW, ports 53 (both udp and tcp) do not yield me any thing. I
> use a regular name server at 24.221.30.3.
> ------------------
> #!/bin/sh
> # Firewall testing script
>
> ipchains -P input DENY
> ipchains -P forward DENY
> ipchains -P output ACCEPT
>
> ipchains -A forward -s 192.168.1.0/24 -i eth1 -j MASQ
> ipchains -A input -i lo -j ACCEPT
> ipchains -A input -i eth0 -j ACCEPT
> ipchains -A input -p tcp ! -y --dport 1024:65535 -j ACCEPT
> ipchains -A input -p icmp -j ACCEPT
AHA! I think I see your problem.
ipchains requires transversal of all three input, output, forward.
Add:
ipchains -A input -s 192.168.1.0/24 -i eth1 -j ACCEPT
ipchains -A output -s 192.168.1.0/24 -i eth1 -j ACCEPT
as well as for the other rules. I would be willing to bet that if you
tried: ipchains -C input -p tcp -s $someip $someport -d $netinterface
$someport -i eth1
on the CL it would return denied.
>
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
--
Patrick Fleming, EA
Licensed to represent taxpayers
before Exam, Appeals, and Conference
divisions of the IRS
(text/plain)