iptables input DROP rule

From: Tony (tony.wong@stanford.edu)
Date: 05/29/02


From: "Tony" <tony.wong@stanford.edu>
Date: Wed, 29 May 2002 14:17:52 -0700

Trying to setup iptables firewall on a web server.

I have the policy as follows:

*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT

-A INPUT -i eth1 -f -j DROP
-A INPUT -i eth1 -p tcp -m state --state INVALID -j DROP
-A INPUT -i eth1 -p tcp -m state --state NEW -m tcp ! --tcp-flags
SYN,RST,ACK SYN -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit
1/sec -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m
limit --limit 1/sec -j ACCEPT

 -A INPUT -i eth1 -p tcp -m state --state ESTABLISHED -m tcp --dport 80 -j
ACCEPT

Then when I try to access a web page on this server. The page comes up but
very very slow. Like some graphics are not being loaded.

Then I changed the rule to:

:INPUT ACCEPT

and then the page and graphics loaded very quickly. Why is that. What ports
do I need to open?

Thanks