This syntax is not allowed: iptables -A INPUT -p tcp --syn -j DROP is not a correct iptables command. Try yourself from the command line and see the error printed. This is the correct one: iptables -A INPUT -p tcp -m state --state NEW -j DROP Fabio De Francesco ----- On Friday 21 March 2003 09:39, Vaessen, E.M.J. (Ed) wrote:
My home PC stuation is very simple: it can connect via USB ADSL but it offers no services to the internet, where I only want to browse and download files. Also there is no local network. A simple situation that in my opninion needs only simple iptable rules for a firewall.
A command was suggested to have the quickest way in protection nirvana. I flushed all rules and then gave command:
iptables -A INPUT -p tcp --syn -j DROP
But with this I could connect to my ISP (a least I saw my IP number popping up in /var/log/messages) but using the browser no site could be found. Some DNS problem I guess.
Trying another suggestion, the following script was used:
#!/bin/sh #simple iptables firewall script # denys all incoming or forwarding traffic, except as related to established outgoing connections. # allows all outbound traffic. # logs incoming traffic that is dropped.
IPTABLES="/sbin/iptables" NIC="ppp0" LOCAL="lo"
$IPTABLES -F FORWARD $IPTABLES -F INPUT $IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT
$IPTABLES -A INPUT -i $LOCAL -j ACCEPT $IPTABLES -A INPUT -i $NIC -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -m limit -j LOG
Well, that made things work perfectly. And still only a few lines needed!
Can anyone explain what is wrong with the first effort?
Ed
Disclaimer ************************************************************************ Aan dit bericht kunnen geen rechten worden ontleend. Dit bericht is uitsluitend bestemd voor de geadresseerde. Als u dit bericht per abuis hebt ontvangen, wordt u verzocht het te vernietigen en de afzender te informeren. Wij adviseren u om bij twijfel over de juistheid of de volledigheid van de mail contact met afzender op te nemen. ************************************************************************