iptables problem stop internet use

[crimp]

Hi all, I've set my firewall up to block all ports for tcp,udp,icmp execpt 80tcp and 53 tcp, but i can't use the internet, if i remove tcp and udp it works. If you need more infomation yell out.

iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -p tcp -j DROP
iptables -I INPUT -p udp -j DROP
iptables -I INPUT -p icmp -j DROP

Any help thanks

[cyberinstru]

Crimp,

One clarifications:
1. Are you blocking all the traffic except TCP 80 and UDP 53 from WAN to LAN or LAN to WAN?

My assumptions:
1. You are trying to block traffic from LAN to WAN except TCP 80 andUDP 53
2. All traffic from WAN to LAN is blocked

Suggestions based on my assumptions:

1. Make your FORWARD chain ACCEPT by default
2. Make your INPUT and OUTPUT chains DROP by default
3. Allow all RELATED, ESTABLISHED packets originating from your WAN (external) interface in the INPUT chain
4. Allow TCP 80 and UDP 53 packets originating from your LAN interface in the OUTPUT chain
5. Allow any traffic from your loopback interface in both INPUT/OUTPUT chains

Please lemme know if you have any issues...

[crimp]

I've changed the rules so the output chain(lan to wan) is open for 80 and 53 and blocked all input(wan to lan) exepct web sever80, but it still blocks internet use. I thought that maybe i'm blocking a port like 53dns that is stoping it, the web browser get to the stage were it says connecting to such and such.

What will making my forward chains accept by default do,?

the rules
iptables -F
iptables -I OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -I OUTPUT -p udp --dport 53 -j ACCEPT
iptables -I INPUT -p icmp -j DROP
iptables -I INPUT -p tcp --dport 3600 -j ACCEPT
//iptables -I INPUT -p udp -j DROP "to make it work these have to be hashed out
//iptables -I INPUT -p tcp -j DROP
iptables -L


thanks

[cyberinstru]

crimp,
The problem is simple if i hve understood it correctly.

You have mentioned that if you hash out the tow lines, it works.

Of course yes, because, the paramater that you use is 'iptables -I'. 'I' is used to insert a rule. when '-I' is given without the place of insertion, the rule simply gets inserted on the top of everything.

Ur last rule "iptables -I INPUT -p tcp -j DROP" sits on top of everything DROPPING all your TCP packets.

so instead of "-I" use "-A"

the rules
iptables -F
iptables -I OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -I OUTPUT -p udp --dport 53 -j ACCEPT
iptables -I INPUT -p icmp -j DROP
iptables -I INPUT -p tcp --dport 3600 -j ACCEPT
//iptables -I INPUT -p udp -j DROP "to make it work these have to be hashed out
//iptables -I INPUT -p tcp -j DROP
iptables -L

lemme know if u issues again..

Cheers

[crimp]

Thanks cyberinstru for your suggestion, but it still doesn't work. I tried only making the drop tcp and udp with -A and then all of them. I used numbers so the rules will be in a order "iptables -I INPUT 1 -p tcp -j DROP", but still nothing.

any more help appreciated

Thanks

[cyberinstru]

huh! Can u post ur iptables rules here???

[crimp]

iptables -F
iptables -I OUTPUT 1 -p tcp --dport 80 -j ACCEPT
iptables -I OUTPUT 2 -p tcp --dport 53 -j ACCEPT
iptables -I OUTPUT 3 -p udp --dport 53 -j ACCEPT

iptables -I INPUT 1 -p tcp --dport 3600 -j ACCEPT
iptables -A INPUT -p tcp -j DROP
iptables -A INPUT -p udp -j DROP
iptables -A INPUT -p icmp -j DROP
iptables -L

[k_amisi]

The problem is that the subsequent packets that are coming to your computer are not allowed by default, try these

# this will enable unrestrictred traffic for your local loop back adapter
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -i lo ACCEPT

#This will enable state checking and will allow previously established connections to work
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# now for the actual rule to allow inbound traffic to the webserver and to the dns server.

iptables -A INPUT -p tcp --dport 80 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp --dport 53 --sport 1024:65535 -j ACCEPT

Substitute the corresponding rules for the output chain.


I hope this will help you.