# Student Apache Iptables [solved]

## XenoTerraCide

Ok I'm trying to learn apache. I seem to have it blocked with Iptables however... someone tell me what's wrong in my firewall script. thx.

```
#!/bin/bash

IPTABLES='/sbin/iptables'

# flush rules and delete chains

$IPTABLES -F

$IPTABLES -X

#                                                                       RULE

$IPTABLES -P INPUT DROP                                                 #1

# SSH server

$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT                  #2

#allow access to the HTTP Server

$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT                  #3

$IPTABLES -A INPUT --protocol tcp --dport 443 -j ACCEPT 

# allow access to samba (netbios)

$IPTABLES -A INPUT --protocol udp --dport 137 -j ACCEPT                 #4

$IPTABLES -A INPUT --protocol udp --dport 138 -j ACCEPT                 #5

$IPTABLES -A INPUT --protocol tcp --dport 139 -j ACCEPT                 #6

# allow access to instant messangers

# MSN messenger

#line 1 is the messenger line 2 is file transfer

$IPTABLES -A INPUT --protocol tcp --dport 1863 -j ACCEPT                #7

$IPTABLES -A INPUT --protocol tcp --dport 6891 -j ACCEPT                #8

#

# AIM line 1 is the messenger 

$IPTABLES -A INPUT --protocol tcp --dport 5190 -j ACCEPT                #9

#

# Yahoo Messenger

# line 1 is the messenger line 2 is file transfer

$IPTABLES -A INPUT --protocol tcp --dport 5050 -j ACCEPT                #10

$IPTABLES -A INPUT --protocol tcp --dport 4443 -j ACCEPT                #11

# accept loopback connections

$IPTABLES -A INPUT -i lo -s 127.0.0.1 -j ACCEPT                         #12

# accept related and established packets

$IPTABLES -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT#13

# accept rcsync

$IPTABLES -A INPUT -i eth0 --protocol tcp --dport 873 -j ACCEPT         #14

$IPTABLES -A INPUT -i eth0 --protocol udp --dport 873 -j ACCEPT         #15

# accept Limewire

$IPTABLES -A INPUT -i eth0 --protocol tcp --dport 6346 -j ACCEPT

$IPTABLES -A INPUT -i eth0 --protocol udp --dport 6346 -j ACCEPT

# block invalid packets

$IPTABLES -A INPUT -m state --state INVALID -j DROP                     #16

```

 and if anyone can tell me if my firewall is an otherwise good one I'd appreciate it. oh and I may be posting other questions's here about my server in the next couple of days. I need to learn this for the linux+ test.Last edited by XenoTerraCide on Tue Dec 27, 2005 11:32 pm; edited 1 time in total

----------

## groovin

shouldnt u have:

```
$IPTABLES -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -J ACCEPT
```

so iptables knows how to get out? i found this one on google because im not an iptables kinda guy =).

if that doesnt help, perhaps ethereal can give you some clues? 

otherwise, bring on the other questions!

----------

## splooge

I don't see anything immediately wrong with your ruleset.  Can you get to your webserver after turning iptables off?

----------

## XenoTerraCide

yeah I can that's how I know Iptables is blocking it. as far as getting out that I wouldn't think that's the problem because I don't have anything blocking outgoing packet's, I am however intending to write that part of the firewall at some point. it just hasn't seemed important yet. I'm gonna make a link to a year old post see if I can't get some of the people who helped me with the writing of the firewall over here.

----------

## magic919

Can you run

iptables -L -n -v

and paste output please.

----------

## XenoTerraCide

```
Chain INPUT (policy DROP 48 packets, 8224 bytes)

 pkts bytes target     prot opt in     out     source               destination                                                                          

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                            tcp dpt:22 

    3   180 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                            tcp dpt:80 

    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                            udp dpt:80 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                            tcp dpt:443 

    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                            udp dpt:443 

    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                            udp dpt:137 

    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                            udp dpt:138 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                            tcp dpt:139 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                            tcp dpt:1863 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                            tcp dpt:6891 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                            tcp dpt:5190 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                            tcp dpt:5050 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                            tcp dpt:4443 

    0     0 ACCEPT     all  --  lo     *       127.0.0.1            0.0.0.0/0                                                                            

 1175  135K ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0                                                                            state RELATED,ESTABLISHED 

    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0                                                                            tcp dpt:873 

    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0                                                                            udp dpt:873 

    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0                                                                            tcp dpt:6346 

    1    59 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0                                                                            udp dpt:6346 

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                            state INVALID 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination                                                                          

Chain OUTPUT (policy ACCEPT 2263 packets, 174K bytes)

        

 1179 89879 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0                                                                            state RELATED,ESTABLISHED 

```

 that what you want?

----------

## kadeux

Depending on your configuration (web-client and/or nameserver on the same machine) you should consider to add a INPUT rule for udp/53.

BTW: If you are connected to the internet and not only testing locally, you should restrict netbios (Samba) to your local net.

----------

## XenoTerraCide

bagh... I don't even have samba running and I never did get it working with this firewall up either... I wrote this back when I was living on campus with a large lan... and I haven't bothered to take that out... um... I'm not hosting the nameserver... is there anyway and I'm 99% sure the answer is yes to check which ports are being used when the firewall is down? I could probably use that to rewrite my Iptables script.

----------

## PaulBredbury

These rules work:  iptables-restore < /var/lib/iptables/rules-save

```
*nat

:PREROUTING ACCEPT

:POSTROUTING ACCEPT

:OUTPUT ACCEPT

COMMIT

*mangle

:PREROUTING ACCEPT

:INPUT ACCEPT

:FORWARD ACCEPT

:OUTPUT ACCEPT

:POSTROUTING ACCEPT

COMMIT

*filter

:INPUT DROP

:FORWARD DROP

:OUTPUT ACCEPT

-A INPUT -s 127.0.0.1 -i lo -j ACCEPT

-A INPUT -s your.ip.address.hereCHANGETHIS!! -i eth0 -j ACCEPT

# Gentoo Rsync for the "emerge --sync" command.

-A INPUT -s 62.197.40.130 -p tcp --dport 873 -i eth0 -j ACCEPT

-A INPUT -s 134.184.49.5 -p tcp --dport 873 -i eth0 -j ACCEPT

-A INPUT -s 82.129.5.25 -p tcp --dport 873 -i eth0 -j ACCEPT

# Bind DNS server - port 53.

-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT

-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Apache web server - port 80.

-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 80 -j ACCEPT

# Apache web server SSL - port 443.

-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 443 -j ACCEPT

# Postfix email server - port 25.

-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 25 -j ACCEPT

# Email using SSL - port 465.

-A INPUT -i eth0 -p tcp -m tcp --dport 465 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 465 -j ACCEPT

COMMIT
```

----------

## XenoTerraCide

interesting inputing those rules doesn't work... huh... I still say i need to figure out what's active and what isn't. maybe it's in my httpd.conf... still I didn't change any port rules from default...

----------

## XenoTerraCide

well I know it's the input chain... I just changed the rules on that from drop to accept and it works... so where in input is it... why isn't it working.

----------

## PaulBredbury

It could be the kernel config - does this show "=y" or "=m":

```
grep CONFIG_IP_NF_MATCH_STATE /usr/src/linux/.config
```

----------

## XenoTerraCide

running that command as is show's 

```
CONFIG_IP_NF_MATCH_STATE=y
```

 so... y

----------

## kadeux

 *PaulBredbury wrote:*   

> -A INPUT -s your.ip.address.hereCHANGETHIS!! -i eth0 -j ACCEPT

 

 *XenoTerraCide wrote:*   

> interesting inputing those rules doesn't work...

 

XenoTerraCide, have you changed this part: "your.ip.address.hereCHANGETHIS!!" ?

The rules by Paul Bradbury are in the format that is used by iptables-save. Have you used iptables-restore to read them in ?

 *XenoTerraCide wrote:*   

> I still say i need to figure out what's active and what isn't.

 

Use netstat, nmap and similar tools.

Here's a simple example to find out on which port the print server is listening:

```
# netstat -anp

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

Active UNIX domain sockets (servers and established)

Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path

unix  2      [ ACC ]     STREAM     LISTENING     2453   1464/syslog-ng      /dev/log

unix  2      [ ACC ]     STREAM     LISTENING     2560   15578/gpm           /dev/gpmctl

# /etc/init.d/cupsd start

 * Starting cupsd ...                                                                         [ ok ]

# netstat -anp

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 0.0.0.0:631             0.0.0.0:*               LISTEN      6155/cupsd

udp        0      0 0.0.0.0:631             0.0.0.0:*                           6155/cupsd

Active UNIX domain sockets (servers and established)

Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path

unix  2      [ ACC ]     STREAM     LISTENING     2453   1464/syslog-ng      /dev/log

unix  2      [ ACC ]     STREAM     LISTENING     2560   15578/gpm           /dev/gpmctl

```

If you have compiled your kernel properly, you can use the LOG target to analyze your rules with syslog(-ng).

----------

## XenoTerraCide

umm... I emerged ethereal... but I'm not really sure how it's supposed to help me groovin. I haven't used it before. as good as time as any to learn it cause I know it's on the test... I don't want to fail the test a second time...

----------

## XenoTerraCide

yeah... I changed the line... before I posted... I forgot to at first and it complained at me. and I read them in with iptables restore. I'll look at the other stuff you have in ur post kadeux. for anyone who would like to try... the page I'm trying to host is at http://xenoterracide.dtdns.net right now all that should say is hello world. but if I have the firewall up it won't pull anything up... the apache index.html is there as well.

----------

## XenoTerraCide

```
SLAVE-I ~ # iptables -L -n -v

Chain INPUT (policy DROP 11 packets, 1528 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     all  --  lo     *       127.0.0.1            0.0.0.0/0           

    0     0 ACCEPT     all  --  eth0   *       67.185.188.6         0.0.0.0/0           

    0     0 ACCEPT     tcp  --  eth0   *       62.197.40.130        0.0.0.0/0           tcp dpt:873 

    0     0 ACCEPT     tcp  --  eth0   *       134.184.49.5         0.0.0.0/0           tcp dpt:873 

    0     0 ACCEPT     tcp  --  eth0   *       82.129.5.25          0.0.0.0/0           tcp dpt:873 

    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 

    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 

  419 49007 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 

    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:80 

    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 

    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:443 

    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 

    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:25 

    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:465 

    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:465 

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination 

         

Chain OUTPUT (policy ACCEPT 422 packets, 30361 bytes)

 pkts bytes target     prot opt in     out     source               destination
```

 just for confirmation.

----------

## XenoTerraCide

from netstat -anp

```
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN

31218/apache
```

 that's just the apache entry I have others.

----------

## XenoTerraCide

```
netstat -anp
```

```
Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      31218/apache        

tcp        0      0 67.185.188.6:44906      205.188.210.131:5190    ESTABLISHED 7701/gaim           

tcp        0      0 67.185.188.6:42963      205.188.7.126:5190      ESTABLISHED 7701/gaim           

tcp        0      0 67.185.188.6:52503      72.14.205.19:80         ESTABLISHED 29613/firefox-bin   

tcp        0      0 67.185.188.6:48125      207.46.0.89:1863        ESTABLISHED 7701/gaim           

tcp        0      0 67.185.188.6:55518      216.155.193.131:5050    ESTABLISHED 7701/gaim           

tcp        0      1 67.185.188.6:34092      67.185.188.6:80         SYN_SENT    29613/firefox-bin   

tcp        0      0 67.185.188.6:46298      63.240.93.147:80        ESTABLISHED 29613/firefox-bin   

udp   103284      0 0.0.0.0:68              0.0.0.0:*                           6608/dhcpcd         

```

----------

## kadeux

 *Quote:*   

> 72.14.205.19:80         ESTABLISHED 29613/firefox-bin 

 

OK, so you are google'ing as a client on the machine which is your server when you make that screenshot:   :Surprised: 

 *Quote:*   

> 
> 
> Result of 'dig 19.205.14.72.in-addr.arpa.  A':
> 
> ; <<>> DiG 9.3.1 <<>> 19.205.14.72.in-addr.arpa. A
> ...

 

You could not connect to your web server with a webbrowser on the same machine when the firewall is up, right ?

..and you are not running a local dns server. 

Thus your firewall setup needs a rule for DNS lookups to an external nameserver. To get answers from your nameserver, add the following rule:

```
$IPTABLES -A INPUT -p udp -m udp -s $NAMESERVER --sport 53 -d 0/0 -j ACCEPT

```

(Replace the variable $NAMESERVER, look in /etc/resolv.conf or maybe in your router settings)

Have you tried to connect to your webserver based on the ip address instead of the server name before ?

BTW: Using a publicly accessable Server additionally  for browsing/messaging is not very secure.   :Wink: 

----------

## XenoTerraCide

typing in the IP address doesn't work either. and if I were having dns problems wouldn't I have trouble finding anything by a domain name when the firewall is up? I have the firewall up right now feel free to tell me if you can access it. http://xenoterracide.dtdns.net/ funny I can access http://xenoterracide.dtdns.net/index.html now I don't think I could before with the firewall up. but still can't access the helloworld page. ...oh and I inserted your rule.

----------

## XenoTerraCide

oh and btw... this server... is my desktop... I like security, but it's not like this contains anything critical, this machine is half server, half toy. and the only person I'm serving for is me. and that's for educational purposes right now anyway. however I kinda would like to have the firewall work... along with everything else because I'm going to have my windows laptop behind the firewall at somepoint and I'm tired of getting nailed by worms.

----------

## kadeux

 *http://xenoterracide.dtdns.net/ wrote:*   

> 
> 
> ```
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> 
> ...

 

IP 67.185.188.6

I can access both pages. If your firewall is up (..and no, I will not pentesting your box   :Smile:  ), your server/rules works as expected.

----------

## XenoTerraCide

ok... so you can see it... why can't I?... make no sense...

----------

## XenoTerraCide

wait... did it show up as html code by default or did you view the code or something?

----------

## XenoTerraCide

iptables -L -n -v

```
Chain INPUT (policy DROP 380 packets, 60135 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     all  --  lo     *       127.0.0.1            0.0.0.0/0           

    0     0 ACCEPT     all  --  eth0   *       67.185.188.6         0.0.0.0/0           

    0     0 ACCEPT     tcp  --  eth0   *       62.197.40.130        0.0.0.0/0           tcp dpt:873 

    0     0 ACCEPT     tcp  --  eth0   *       134.184.49.5         0.0.0.0/0           tcp dpt:873 

    0     0 ACCEPT     tcp  --  eth0   *       82.129.5.25          0.0.0.0/0           tcp dpt:873 

 9445 1111K ACCEPT     udp  --  *      *       68.87.77.130         0.0.0.0/0           udp spt:53 

    2   286 ACCEPT     udp  --  *      *       68.87.72.130         0.0.0.0/0           udp spt:53 

    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 

    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 

 2060 2017K ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

    3   144 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 

    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:80 

    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 

    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:443 

    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 

    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:25 

    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:465 

    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:465 

```

 those are my current rules... I have myself as allowed for all so... I don't get it... I can see it through the web browser if i point to 127.0.0.1 but not if I point to my IP or the domain name.Last edited by XenoTerraCide on Tue Dec 27, 2005 12:06 am; edited 1 time in total

----------

## kadeux

I viewed the source since I don't want to post a screenshot, and typing "hello world" wouldn't prove anything.   :Wink: 

PS: You post quicker than I can revisit this topic.   :Smile: 

In this part of the world it's bedtime. Good night.

----------

## XenoTerraCide

sorry bout the fast posting... I post when I think of something. I also am having the patience of a fruit fly lately.

----------

## magic919

Maybe you could mark this as [solved].

Not being able to get to your website via the 'external' IP happens on many routers.  My Netgear one stops me getting to it if I'm on the LAN.

You can pick up the overly complex firewall another day then  :Smile: 

----------

## XenoTerraCide

I was thinking about it... but um... you do realise that my desktop is the router. and that the server and browser are on the same machine, which is the desktop. and to me that doesn't make sense... it's not like there is an external hardware firewall between them.

----------

## magic919

 *XenoTerraCide wrote:*   

> you do realise that my desktop is the router

 

No.  But then I'm more of a computer geek than a clairvoyant.

----------

## XenoTerraCide

perhaps but I thought we had clairified earlier in this discussion that everything is on one machine. the network as of now consists of. a cable modem, a switch, both of  which shouldn't have a firewall... and the (desktop, router, server). the entire problem only involves one system. and neither the switch nore the modem should have any impact.

----------

## magic919

I don't think I saw the network set-up in the thread.  

All on one machine doesn't wash, as I can browse from one of my servers, to Apache on that machine (using the external IP) and it fails due to my Netgear router.  This is because I'd be looking for an external address and it would go via my default gateway, the router, as the LAN is all private IPs.

I can understand, now, that your set-up is different.  In the UK we can't run a cable modem off a switch as a rule due to it wanting to see just the one MAC address.

But we are some miles off topic.

----------

## XenoTerraCide

I never gave the full network set up... the switch is in place because I need to use it to connect the laptop I have to the net at the same time I can remove it and it wouldn't mean anything. I'm thinking of  buying a second nic and cutting the switch out. but I do recall I think going over that the firewall, apache and my browser were on the same machine... yeah we are off topic however. and I'd still like to know why I can't see my page when the firewall is up by pointing it to the domain name or my IP address. It's less of a problem cause I can check the page by pointing the browser to 127.0.0.1 but I shouldn't have to do that. being that I'm a student in linux unix network adminstration I need to get this solved. if even just for future reference. honestly the page really isn't that important it's self it's the configuration of the sytem that's important. I don't think I'm going to close this until I've found the solution, or have been given an explanation as to why it will never work with these versions of the software, kernel, etc.

----------

## magic919

Why not try opening up the loopback rule.  There's no reason to have 127.0.0.1 in there.  Go for any src and dest and proto.

----------

## XenoTerraCide

huh? what do you mean?

----------

## magic919

Change this

```
Chain INPUT (policy DROP 380 packets, 60135 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     all  --  lo     *       127.0.0.1            0.0.0.0/0          
```

bit.

Get rid of the src from this command IPTABLES -A INPUT -i lo [-s 127.0.0.1] -j ACCEPT

----------

## XenoTerraCide

does it make any sense that, that fixed the problem? apparently the my computer was making a call to lo with possibly my actual address IP... ug... oh well I get it now... never would have thought of that though. kinda like I don't understand why amarok and other kde apps make a call to lo. ah well thx for the help I'm gonna mark this solved now.

----------

## magic919

I'd expected it would.  Glad it worked out.

You might want to tidy up the iptables rules next.  Get the related, established rule and stick it just below the loopback rule - that way you'll have the two most-used rules at the top of the chain.  Take out the references to your own IP.  Take out the incoming rules for port 53 unless you really do run a DNS server.

Have a look at www.pettingers.org . It helped me build my first iptables firewall.

----------

## XenoTerraCide

yeah I was... along with creating a NAT my laptop can't access the internet right now because they only give me one IP address so I need make my linux box give it one and also be it's firewall blah blah blah.

----------

