Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IPTables Rules limit me from Pinging using DNS help!!

Status
Not open for further replies.
baldhead

baldhead

Technical User
Joined
Apr 27, 2004
Messages
111
Location
US
Here's a script I'm using to create some tables which will only allow in on ports I'm running services. One of the problems I'm havng is that I can't ping the Internet with a DNS address from this machine. I've allowed everything in the OUTPUT table and can ping the Internet when using a straight IP, but when I type in "ping google.com" the machine hangs for a few seconds and gives me a server request error. I know it's something with my rules because when I flush them all I can ping google.com just fine. Any ideas would be greatly appreciated. I'm guessing it's something trivial but can't put my finger on it yet.

thanks

#!/bin/bash
########## Beginning ###########################################################

# Define Interfaces/Networks

# Inside/Intranet Interface
INSIDEIP="192.168.7.55"
INSIDEINT="eth0"

# External/Internet Interface # OUTSIDEIP=
# OUTSIDEINT=

# LAN Network
LAN="192.168.7.0/24"

# Admin Host
ADMIN="192.168.7.51"

# Define other Variables

RULE="/usr/sbin/iptables"

# Flushing All rules/chains
$RULE -A INPUT LOG
$RULE -A OUTPUT LOG
$RULE -A FORWARD LOG
$RULE -P INPUT DROP
$RULE -P OUTPUT DROP
$RULE -P FORWARD DROP
$RULE -F INPUT
$RULE -F OUTPUT
$RULE -F FORWARD

# Adding Permittable Network/Hosts/Ports to Input Table on Internal Interface

# Allowing DNS,FTP,SSH,Webmin,HTTP,SWAT,and Samba to Server

$RULE -A INPUT -i $INSIDEINT --proto icmp --icmp-type any -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp --dport 21 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp -s $ADMIN --dport 22 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp --dport 53 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp --dport 80 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp --dport 137 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp --dport 138 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp --dport 139 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp --dport 445 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp -s $ADMIN --dport 901 -d $INSIDEIP -j ACCEPT
$RULE -A INPUT -i $INSIDEINT --proto tcp -s $ADMIN --dport 10000 -d $INSIDEIP -j ACCEPT

# Denying Everything on Local Network

# Adding entry to allow everything originating from Internal Interface out
$RULE -A OUTPUT -j ACCEPT

########## END ################################################################
 
Sort by date Sort by votes
You need a rule for return packets to get back in, something like...

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
Upvote 0 Downvote
yep thanks, that was it
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Krus1972
  • Locked
  • Question Question
Rewrite Rule for .htaccess Help
Replies
0
Views
677
Krus1972
Krus1972
malpa
  • Locked
  • Question Question
block incoming snmp traps from ip
Replies
1
Views
614
malpa
malpa
kasperelectronics
  • Locked
  • Question Question
Desktop streaming from a server to low power front end device e.g. RasPi
Replies
0
Views
469
kasperelectronics
kasperelectronics
mjj4golf2
  • Locked
  • Question Question
Help with setting up a media server
Replies
2
Views
578
vacunita
vacunita
harro1968
  • Locked
  • Question Question
Help with ProxyPass
Replies
0
Views
386
harro1968
harro1968

Part and Inventory Search

Sponsor

Back
Top