Please help confused iptables user

From: Jonathan <sorry@xxxxxxxxxxxxxxxx>
Date: Mon, 23 Jan 2006 22:15:34 +0000

Hi - I'm using iptables v1.2.11 under Debian Sarge.

I'm trying to install a very basic firewall to lock down a secondary DNS/MX
box, and having some problems. Specifically, the outgoing requests I want
don't work (either timing out or getting not permitted):

Here's what I got - can anyone give me any tips? Any help much appreciated.

<snip some variables>

iptables -P INPUT DROP
iptables -P OUTPUT DROP

iptables -F
iptables -F INPUT
iptables -F OUTPUT

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -i $ETHERNET -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A OUTPUT -o $ETHERNET -m state --state ESTABLISHED,RELATED -j
ACCEPT

iptables -A INPUT -i $ETHERNET -s $MYIP -j DROP
iptables -A OUTPUT -o $ETHERNET -s ! $MYIP -j DROP
iptables -A INPUT -i $ETHERNET -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i $ETHERNET -s 172.16/12 -j DROP
iptables -A INPUT -i $ETHERNET -s 192.168/16 -j DROP

# WHY DOES THIS NOT WORK GOING OUT?
iptables -A INPUT -i $ETHERNET -p tcp -d $MYIP --dport 22 -j ACCEPT
iptables -A OUTPUT -o $ETHERNET -p tcp -s $MYIP --sport 22 -j ACCEPT

iptables -A INPUT -i $ETHERNET -p udp -d $MYIP --sport 53 -j ACCEPT
iptables -A OUTPUT -o $ETHERNET -p udp -s $MYIP --dport 53 -j ACCEPT
iptables -A INPUT -i $ETHERNET -p tcp -d $MYIP --sport 53 -j ACCEPT
iptables -A OUTPUT -o $ETHERNET -p tcp -s $MYIP --dport 53 -j ACCEPT

iptables -A OUTPUT -o $ETHERNET -p tcp -s $MYIP --dport 25 -j ACCEPT
iptables -A INPUT -i $ETHERNET -p tcp -d $MYIP --sport 25 -j ACCEPT

iptables -A OUTPUT -o $ETHERNET -p udp -s $MYIP --dport 123 -j ACCEPT
iptables -A INPUT -i $ETHERNET -p udp -d $MYIP --sport 123 -j ACCEPT

iptables -A INPUT -i $ETHERNET -p tcp -d $MYIP --sport 873 -j ACCEPT
iptables -A OUTPUT -o $ETHERNET -p tcp -s $MYIP --dport 873 -j ACCEPT

iptables -A OUTPUT -o $ETHERNET -p tcp -s $MYIP -d mirror.bytemark.co.uk
--dport 80 -j ACCEPT
iptables -A OUTPUT -o $ETHERNET -p tcp -s $MYIP -d security.debian.org
--dport 80 -j ACCEPT

iptables -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP
iptables -A INPUT -d 224.0.0.1 -j DROP

iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG

[ends]

.

Follow-Ups:
- Re: Please help confused iptables user
  - From: Moe Trin
- Re: Please help confused iptables user
  - From: Ansgar -59cobalt- Wiechers

Prev by Date: Firebox 1000 - Optional network cannot communicate with trusted network via an external address NAT'd to the trusted
Next by Date: Re: Info abour speed with firewall.
Previous by thread: Firebox 1000 - Optional network cannot communicate with trusted network via an external address NAT'd to the trusted
Next by thread: Re: Please help confused iptables user
Index(es):
- Date
- Thread

Relevant Pages

Re: When not to log
... > mails root every tenth iptables 'hit' with a summary!. ... > Well I'm asking myself here is all the time involved worth it?, ... > just lock the door and let the lock get on with it's job!. ...
(comp.os.linux.security)
Re: Please help confused iptables user
... >I'm trying to install a very basic firewall to lock down a secondary DNS/MX ... the outgoing requests I want ... >iptables -P OUTPUT DROP ... These six rules allow you to act as a client (asking remote servers ...
(comp.security.firewalls)
Re: newbie needs help with iptables basics (please)
... Yes I have RTFM (man iptables) and have read several docs ... > set of iptables commands for a basic firewall I would be very ... You can then edit that script to add whatever ...
(comp.os.linux.security)
Re: iptables is not working
... Where you have -j vlan100/120 you're not really telling iptables what to ... Or just put all of the above in a bash script ... Per the basic firewall from the documentation, ...
(comp.os.linux.security)