hi, tcp is a query and reply protocol
as you are using ipchains, dont forget to open up your high ports (1024 up) so that traffic that is sent out can come back to you via these high ports. if you dont you wont be getting any replies and all your connections will time out waiting for a reply... it would be a one way conversation because your default rule drops them. and you wont be able to explicitly define them in your script because connections to these high ports are ususaly dynamically assigned. if you think ipchains id cool check out iptables and its stateful filtering. :) [EMAIL PROTECTED] wrote: >Hi all! > >I'm fiddling with ipchains for the first time and it's cool! > >The problem is that now I can't surf the web or ping any other servers. I >guess it's because I set it up to only let packts in from certain servers. >How does one set up ipchains so I can surf and pong? > >Here's what I've got in my script. Addresses and interface names have been >changed to "protect the innocent". Any help wopuld be greatly appreciated. >I miss surfing already... > >Thanks! God bless! >-------------------------------------------------------------------------- > >#!/bin/bash ># ># This is an ipchains configuration script. It does the ># following: ># ># 1. Flushes old rulesets ># 2. Set default policies ># 3. Allow local interfaces (loopback and eth0) ># 4. Deny address block we should never see including the local address ># block (192.168.1.0-24) ># 5. Allow some inbound services ># 6. Allow DNS query responses ># 7. Deny all other packets and log them ># ># ># Flush old rulesets ># >ipchains -F input >ipchains -F output >ipchains -F forward ># ># ># Set default policies ># >ipchains -P input DENY >ipchains -P output ACCEPT >ipchains -P forward ACCEPT ># ># ># Allow local interface ># >ipchains -A input -i lo -j ACCEPT ># ># ># Deny address blocks we should never see including our local address ># block and log them ># >ipchains -A input -i <interfacex> -s 10.0.0.0/8 -j DENY -l >ipchains -A input -i <interfacex> -s 172.16.0.0/12 -j DENY -l >ipchains -A input -i <interfacex> -s 198.168.1.0/24 -j DENY -l ># ># ># Allow incoming mail from ISP's mailserver and POP3 response ># >ipchains -A input -i <interfacex> -p tcp -s xxx.xxx.xxx.xxx -j ACCEPT >ipchains -A input -i <interfacex> -p tcp -s xxx.xxx.xxx.xxx --sport 110 -j ACCEPT ># ># ># Allow DNS query responses from DNS ># >ipchains -A input -i <interfacex> -p udp -s xxx.xxx.xxx.xxx 53 -j ACCEPT >ipchains -A input -i <interfacex> -p tcp -s xxx.xxx.xxx.xxx 53 -j ACCEPT >ipchains -A input -i <interfacex> -p udp -s xxx.xxx.xxx.xxx 53 -j ACCEPT >ipchains -A input -i <interfacex> -p tcp -s xxx.xxx.xxx.xxx 53 -j ACCEPT ># ># ># Deny all other packets and log them ># >ipchains -A input -j DENY -l ># ># End of script > > >-- [Manny Amador] ----------------------------- [[EMAIL PROTECTED]] -- > Member: Philippine League for Democratic Telecommunications, Inc. > "Affordable Access for All!" >-- [Distributed Development Network (DDN)] ------- [www.distdev.com] -- >_ >Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph >To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] > >To subscribe to the Linux Newbies' List: send "subscribe" in the body to >[EMAIL PROTECTED] > > _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
