Find the answer to your Linux question:
Results 1 to 8 of 8
Hi all, I've set my firewall up to block all ports for tcp,udp,icmp execpt 80tcp and 53 tcp, but i can't use the internet, if i remove tcp and udp ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2007
    Posts
    7

    iptables problem stop internet use


    Hi all, I've set my firewall up to block all ports for tcp,udp,icmp execpt 80tcp and 53 tcp, but i can't use the internet, if i remove tcp and udp it works. If you need more infomation yell out.

    iptables -I INPUT -p tcp --dport 80 -j ACCEPT
    iptables -I INPUT -p tcp --dport 53 -j ACCEPT
    iptables -I INPUT -p tcp -j DROP
    iptables -I INPUT -p udp -j DROP
    iptables -I INPUT -p icmp -j DROP

    Any help thanks

  2. #2
    Linux User cyberinstru's Avatar
    Join Date
    Jan 2007
    Location
    India
    Posts
    362
    Crimp,

    One clarifications:
    1. Are you blocking all the traffic except TCP 80 and UDP 53 from WAN to LAN or LAN to WAN?

    My assumptions:
    1. You are trying to block traffic from LAN to WAN except TCP 80 andUDP 53
    2. All traffic from WAN to LAN is blocked

    Suggestions based on my assumptions:

    1. Make your FORWARD chain ACCEPT by default
    2. Make your INPUT and OUTPUT chains DROP by default
    3. Allow all RELATED, ESTABLISHED packets originating from your WAN (external) interface in the INPUT chain
    4. Allow TCP 80 and UDP 53 packets originating from your LAN interface in the OUTPUT chain
    5. Allow any traffic from your loopback interface in both INPUT/OUTPUT chains

    Please lemme know if you have any issues...


  3. #3
    Just Joined!
    Join Date
    Jan 2007
    Posts
    7
    I've changed the rules so the output chain(lan to wan) is open for 80 and 53 and blocked all input(wan to lan) exepct web sever80, but it still blocks internet use. I thought that maybe i'm blocking a port like 53dns that is stoping it, the web browser get to the stage were it says connecting to such and such.

    What will making my forward chains accept by default do,?

    the rules
    iptables -F
    iptables -I OUTPUT -p tcp --dport 80 -j ACCEPT
    iptables -I OUTPUT -p tcp --dport 53 -j ACCEPT
    iptables -I OUTPUT -p udp --dport 53 -j ACCEPT
    iptables -I INPUT -p icmp -j DROP
    iptables -I INPUT -p tcp --dport 3600 -j ACCEPT
    //iptables -I INPUT -p udp -j DROP "to make it work these have to be hashed out
    //iptables -I INPUT -p tcp -j DROP
    iptables -L


    thanks

  4. #4
    Linux User cyberinstru's Avatar
    Join Date
    Jan 2007
    Location
    India
    Posts
    362
    crimp,
    The problem is simple if i hve understood it correctly.

    You have mentioned that if you hash out the tow lines, it works.

    Of course yes, because, the paramater that you use is 'iptables -I'. 'I' is used to insert a rule. when '-I' is given without the place of insertion, the rule simply gets inserted on the top of everything.

    Ur last rule "iptables -I INPUT -p tcp -j DROP" sits on top of everything DROPPING all your TCP packets.

    so instead of "-I" use "-A"


    Quote Originally Posted by crimp

    the rules
    iptables -F
    iptables -I OUTPUT -p tcp --dport 80 -j ACCEPT
    iptables -I OUTPUT -p tcp --dport 53 -j ACCEPT
    iptables -I OUTPUT -p udp --dport 53 -j ACCEPT
    iptables -I INPUT -p icmp -j DROP
    iptables -I INPUT -p tcp --dport 3600 -j ACCEPT
    //iptables -I INPUT -p udp -j DROP "to make it work these have to be hashed out
    //iptables -I INPUT -p tcp -j DROP
    iptables -L
    lemme know if u issues again..

    Cheers

  5. #5
    Just Joined!
    Join Date
    Jan 2007
    Posts
    7
    Thanks cyberinstru for your suggestion, but it still doesn't work. I tried only making the drop tcp and udp with -A and then all of them. I used numbers so the rules will be in a order "iptables -I INPUT 1 -p tcp -j DROP", but still nothing.

    any more help appreciated

    Thanks

  6. #6
    Linux User cyberinstru's Avatar
    Join Date
    Jan 2007
    Location
    India
    Posts
    362
    huh! Can u post ur iptables rules here???

  7. #7
    Just Joined!
    Join Date
    Jan 2007
    Posts
    7
    iptables -F
    iptables -I OUTPUT 1 -p tcp --dport 80 -j ACCEPT
    iptables -I OUTPUT 2 -p tcp --dport 53 -j ACCEPT
    iptables -I OUTPUT 3 -p udp --dport 53 -j ACCEPT

    iptables -I INPUT 1 -p tcp --dport 3600 -j ACCEPT
    iptables -A INPUT -p tcp -j DROP
    iptables -A INPUT -p udp -j DROP
    iptables -A INPUT -p icmp -j DROP
    iptables -L

  8. #8
    Just Joined!
    Join Date
    Jan 2007
    Posts
    44
    The problem is that the subsequent packets that are coming to your computer are not allowed by default, try these

    # this will enable unrestrictred traffic for your local loop back adapter
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -i lo ACCEPT

    #This will enable state checking and will allow previously established connections to work
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    # now for the actual rule to allow inbound traffic to the webserver and to the dns server.

    iptables -A INPUT -p tcp --dport 80 --sport 1024:65535 -j ACCEPT
    iptables -A INPUT -p tcp --dport 53 --sport 1024:65535 -j ACCEPT
    iptables -A INPUT -p udp --dport 53 --sport 1024:65535 -j ACCEPT

    Substitute the corresponding rules for the output chain.


    I hope this will help you.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •