hey there,
I'm having problem with my IP tables allowing DNS queries,
here is my F/w Script
----start scriot ------ #!/bin/sh
LAN="eth1" INTERNET="eth0" IPTABLES="/sbin/iptables"
# Drop ICMP echo-request messages sent to broadcast or multicast addresses echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Drop source routed packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYN cookie protection from SYN floods echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Don't accept ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Don't send ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# Enable source address spoofing protection echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Log packets with impossible source addresses echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Flush all chains $IPTABLES --flush
# Allow unlimited traffic on the loopback interface $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT
# Set default policies #$IPTABLES --policy INPUT DROP #$IPTABLES --policy OUTPUT DROP #$IPTABLES --policy FORWARD DROP
# Previously initiated and accepted exchanges bypass rule checking $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow incoming port 22 (ssh) connections on LAN interface $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22 -m state
--state NEW -j ACCEPT
# Allow incoming port 3128 (squid) connections on LAN interface $IPTABLES -A INPUT -i $LAN -p tcp --destination-port 3128 -m state
--state NEW -j ACCEPT
# Allow ICMP ECHO REQUESTS on LAN interface $IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT
# Allow DNS resolution $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state
--state NEW -j ACCEPT $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state
--state NEW -j ACCEPT
# Allow ntp synchronization $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 123 -m state
--state NEW -j ACCEPT
# Allow Squid to proxy http, https $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state
--state NEW -j ACCEPT $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 443 -m state
--state NEW -j ACCEPT ---end script---
my squid wont work , nor does browsing from the local f/w box.
It does work if i change default policy to DENY ?
any idea's i'm running on RH9.0
thanx