# can't connect to internet with my iptables

## queen

I have a script of iptables that I want to use. The problem is that I can't connect to internet when I enable it. Can someone tell me what's wrong with the script? Here is the script: 

```

 #!/bin/sh

# Set location of iptables

IPTABLES=/sbin/iptables

# Define interfaces

PUBLIC_IF="eth2"

# Flush current rules

#$IPTABLES -t nat -F

$IPTABLES -t filter -F

#$IPTABLES -t mangle -F

# Delete custom chains

#$IPTABLES -t nat -X

$IPTABLES -t filter -X

#$IPTABLES -t mangle -X

# Set default policies

$IPTABLES -t filter -P INPUT DROP

$IPTABLES -t filter -P FORWARD DROP

$IPTABLES -t filter -P OUTPUT ACCEPT

#$IPTABLES -t nat -P PREROUTING ACCEPT

#$IPTABLES -t nat -P OUTPUT ACCEPT

#$IPTABLES -t nat -P POSTROUTING ACCEPT

#$IPTABLES -t mangle -P PREROUTING ACCEPT

#$IPTABLES -t mangle -P INPUT ACCEPT

#$IPTABLES -t mangle -P FORWARD ACCEPT

#$IPTABLES -t mangle -P OUTPUT ACCEPT

#$IPTABLES -t mangle -P POSTROUTING ACCEPT

# Allow traffic from trusted interfaces

$IPTABLES -A INPUT -i lo -j ACCEPT

# Allow traffic from established connections

$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow https

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 443 --syn -j ACCEPT

# Allow http

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 80 --syn -j ACCEPT

# Allow inbound DNS requests from the wireless network.

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp --dport 53 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp --dport 53 -j ACCEPT

# Allow BitTorrent traffic -- avoid ISP blocking defaults

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp -m multiport --ports 53309:53317 --syn -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp -m multiport --ports 53309:53317 -j ACCEPT

# Allow BitTorrent tracker capability

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 6969 --syn -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 6969 -j ACCEPT

# Allow SSH

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 22 --syn -j ACCEPT

# Allow linuxdc

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 29800 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 29800 -j ACCEPT

# Allow Donkey capability

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 8726 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 8730 -j ACCEPT

# Allow Kad in emule capability

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 16687 -j ACCEPT

# Allow Msn capability to get files

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 6891 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 6891 -j ACCEPT

# Allow Msn

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 1863 -j ACCEPT

# Allow ICQ

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 5190 -j ACCEPT

## Allow GTALK

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 5223 -j ACCEPT

# Allow rsync

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 873 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 873 -j ACCEPT

```

----------

## gentoo_dude

You cannot establish new connections from your computer on the outside

$IPTABLES -A OUTPUT -o lo -j ACCEPT

$IPTABLES -A OUTPUT -o $PUBLIC_IP -p tcp -m tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

NOTE:

SOrry I just saw that your default table for OUTPUT table is set to ACCEPT.  What does /sbin/iptables -L look like?

----------

## didymos

Try changing this:

```

$IPTABLES -A INPUT -i lo -j ACCEPT 

```

to

```

$IPTABLES -A INPUT -i ! <interface connected to Internet> -j ACCEPT 

```

and change this:

```

$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state RELATED,ESTABLISHED -j ACCEPT 

```

to this:

```

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

```

It'd help to see what you've got in /etc/conf.d/net and to know whether or not you're also going through a router.

----------

## Hu

Instead of iptables -L, use iptables-save -c.  The latter produces a machine-readable definition that gives us all the details.  The former omits detailed hit counters, interface restrictions, and all but one of the netfilter tables.  Also, going along with the request from didymos, please provide the output of ip addr ; ip route.  If you are directly on a public IP address, feel free to remove that from the output.

----------

## queen

I am going through a router. The router is with spi firewall enabled. I want to disable the spi firewall and use myiptables. I get a direct ip for browsing from the ISP. Router is linksys wrt54gc. 

I will output all the details in a couple of hours, because I have to run. Right now the firewall is not enabled.

----------

## queen

Hello didymos

It seems that the changing you suggested work. Now I can ping google, browse, etc. 

Few notes: before the change i tried the command route and There was no output. Now route gives the output: 

```

route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.1.0     *               255.255.255.0   U     0      0        0 eth2

169.254.0.0     *               255.255.0.0     U     0      0        0 eth0

loopback        *               255.0.0.0       U     0      0        0 lo

default         192.168.1.1     0.0.0.0         UG    0      0        0 eth2

```

Here is my /etc/conf.d/net 

```

config_eth0=("dhcp")

#dhcp_eth0="nontp nonis nodns"

dhcp_eth0="nontp nonis"

#dns_servers_eth0="127.0.0.1 208.67.222.222 208.67.220.220"

config_eth2=("dhcp")

modules_eth2=("iwconfig")

#dhcp_eth2="nodns"

dns_servers_eth2="208.67.222.222 208.67.220.220"

routes_eth2=("default gw 192.168.1.1")

```

eth0 is the non wifi card. eth2 is the wifi card. I am behind a router. I would like to disable the spi firewall of the router. I have speed problems and not sure from where the problems come. I try to use opendns ips. 

I get internal ip from the router (via dhcp) and have a static ip address to connect directly to the internet.  

Can you explain what the changes you suggested do?

 *didymos wrote:*   

> Try changing this:
> 
> ```
> 
> $IPTABLES -A INPUT -i lo -j ACCEPT 
> ...

 

----------

## queen

 *Hu wrote:*   

> Instead of iptables -L, use iptables-save -c.  The latter produces a machine-readable definition that gives us all the details.  The former omits detailed hit counters, interface restrictions, and all but one of the netfilter tables.  Also, going along with the request from didymos, please provide the output of ip addr ; ip route.  If you are directly on a public IP address, feel free to remove that from the output.

 

What is ip route or ip addr? It said command not found. route gave me an output. 

here is the output i got from iptables-save -c before I changed the settings that didymos suggested. 

```
iptables-save -c

# Generated by iptables-save v1.3.8 on Fri Dec 21 23:07:44 2007

*nat

:PREROUTING ACCEPT [963:270530]

:POSTROUTING ACCEPT [3142:189427]

:OUTPUT ACCEPT [3142:189427]

COMMIT

# Completed on Fri Dec 21 23:07:44 2007

# Generated by iptables-save v1.3.8 on Fri Dec 21 23:07:44 2007

*mangle

:PREROUTING ACCEPT [14991:802708]

:INPUT ACCEPT [14209:544608]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [19584:855385]

:POSTROUTING ACCEPT [19584:855385]

COMMIT

# Completed on Fri Dec 21 23:07:44 2007

# Generated by iptables-save v1.3.8 on Fri Dec 21 23:07:44 2007

*filter

:INPUT DROP [2352:165107]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [19007:816911]

[11277:337977] -A INPUT -i lo -j ACCEPT

[0:0] -A INPUT -i eth2 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --ports 53309:53317 -j ACCEPT

[0:0] -A INPUT -i eth2 -p udp -m udp -m multiport --ports 53309:53317 -j ACCEPT

[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 6969 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

[0:0] -A INPUT -i eth2 -p udp -m udp --dport 6969 -j ACCEPT

[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 29800 -j ACCEPT

[0:0] -A INPUT -i eth2 -p udp -m udp --dport 29800 -j ACCEPT

[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 8726 -j ACCEPT

[0:0] -A INPUT -i eth2 -p udp -m udp --dport 8730 -j ACCEPT

[114:8433] -A INPUT -i eth2 -p udp -m udp --dport 16687 -j ACCEPT

[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 6891 -j ACCEPT

[0:0] -A INPUT -i eth2 -p udp -m udp --dport 6891 -j ACCEPT

[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 1863 -j ACCEPT

[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 5190 -j ACCEPT

[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 5223 -j ACCEPT

[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 873 -j ACCEPT

[0:0] -A INPUT -i eth2 -p udp -m udp --dport 873 -j ACCEPT

[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 21 -j ACCEPT

COMMIT

# Completed on Fri Dec 21 23:07:44 2007
```

----------

## queen

One more question:

I have port forwarding in the router. With these rules, I can disable the port fwd in the router?

----------

## Hu

 *queen wrote:*   

> 
> 
> What is ip route or ip addr? It said command not found. route gave me an output. 
> 
> 

 

/sbin/ip is part of sys-apps/iproute2.  It is an alternative to using ifconfig and route.

----------

## queen

 *Hu wrote:*   

>  *queen wrote:*   
> 
> What is ip route or ip addr? It said command not found. route gave me an output. 
> 
>  
> ...

 

ok. Thanks. I don't have iproute2 installed.

----------

