Iptables Configuration Problem
Hey everybody I've read this forum for a while now, but never posted..so here goes post #1.
I am trying to create a simple iptables configuration script. This is for a machine that only needs to be able to ping other machines and get upgrades via http. Note that it doesn't need to be able to be pinged back and isn't a web server.
So far I this is what I have:
# Primary network interface
# Flush, Delete, and Zero all current chains
# Only accept input and output traffic
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
# Make new chains for output (p-out) and input (p-in)
iptables -N p-out
iptables -N p-in
# Redirect all output traffic to 'p-out' and all input traffic to 'p-in'
iptables -A OUTPUT -j p-out
iptables -A INPUT -j p-in
# Block all input and output traffic
iptables -A p-out -o $iface -j DROP
iptables -A p-in -i $iface -j DROP
# Accept all LOOPBACK (lo) traffic
iptables -A p-out -o lo -j ACCEPT
iptables -A p-in -i lo -j ACCEPT
# Allow pinging
iptables -A p-out -o $iface -p icmp -m icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A p-in -i $iface -p icmp -m icmp --icmp-type 8 -m state --state ESTABLISHED -j ACCEPT
# Allow HTTP
iptables -A p-out -o $iface -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A p-in -i $iface -p tcp -m tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT
Unfortunately this does not work. I can ping 'localhost' and thats about all I can do with this script. I was hoping somebody could point out what I did wrong. Also any tips on how to reduce this even further would be great.