# Basic iptables question [SOLVED]

## brianrpsgt1

Ran the command "iptables --list" ...

Chain NR (1 references)

target     prot opt source               destination

LSI        all  --  0.0.0.0/8            192.168.1.0/24

LSI        all  --  1.0.0.0/8            192.168.1.0/24

LSI        all  --  2.0.0.0/8            192.168.1.0/24

LSI        all  --  5.0.0.0/8            192.168.1.0/24

....

....

What does "Chain NR" refer to?  What is LSI?

I also noticed these ...

LSI        all  --  AMontpellier-257-1-113-net.w90-0.abo.wanadoo.fr/8  192.168.1.0/24

LSI        all  --  ppp-net.infoweb.ne.jp/8  192.168.1.0/24

LSI        all  --  ip-189-0-0-0.user.vivozap.com.br/8  192.168.1.0/24

Is someone else connected to my machine?

Thanks ::

BLast edited by brianrpsgt1 on Sat Aug 04, 2007 3:17 pm; edited 1 time in total

----------

## mudrii

you can see all conection IN/OUT with netstat

----------

## Hu

 *brianrpsgt1 wrote:*   

> 
> 
> Chain NR (1 references)
> 
> target     prot opt source               destination
> ...

 

Chain NR means you have a chain named NR in your table.  LSI is the name of the target chain which is executed when the rule matches.  Those other rules you cited indicate that you have rules which apply to netmasks which happen to resolve to hostnames.

What are you trying to accomplish?  If you want to see a full listing of your rules, I suggest iptables -vxnL (to see just the filter table) or iptables-save -c (to see all tables).

----------

## brianrpsgt1

Hu.. 

Thanks for the reply.  I am trying to accomplish two things.

1.  In seeing the addresses in the "LSI" listing that were from other countries, I wanted to make sure that others were not connected to my computer.  Signs point to the fact that they are not, as when I run Netstat, I can identify all of those connected.

2.  I am having problems accessing some websites, like Google, for example.  If I turn the firewall off, then I get to it no problem.  However, if I turn my firewall back on then I am blocked.  I am trying to find where the "block" is occurring so that I can fix it.

I am currently using Firestarter as my firewall.

Thanks :

B

----------

## Hu

 *brianrpsgt1 wrote:*   

> 
> 
> 2.  I am having problems accessing some websites, like Google, for example.  If I turn the firewall off, then I get to it no problem.  However, if I turn my firewall back on then I am blocked.  I am trying to find where the "block" is occurring so that I can fix it.

 

Please post the output of iptables-save -c so that we can see the full firewall ruleset.  Without that, diagnosing your problem would be guesswork at best.

----------

## brianrpsgt1

Hu ::

Results for iptables-save -c

# Generated by iptables-save v1.3.5 on Sat Aug  4 07:58:58 2007

*raw

:PREROUTING ACCEPT [34924385:15289573386]

:OUTPUT ACCEPT [36206861:14530340968]

COMMIT

# Completed on Sat Aug  4 07:58:58 2007

# Generated by iptables-save v1.3.5 on Sat Aug  4 07:58:58 2007

*nat

:PREROUTING ACCEPT [914865:99603423]

:POSTROUTING ACCEPT [1513886:139197446]

:OUTPUT ACCEPT [1513935:139276327]

COMMIT

# Completed on Sat Aug  4 07:58:58 2007

# Generated by iptables-save v1.3.5 on Sat Aug  4 07:58:58 2007

*mangle

:PREROUTING ACCEPT [3460:924162]

:INPUT ACCEPT [3460:924162]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [3378:441043]

:POSTROUTING ACCEPT [5170:733780]

COMMIT

# Completed on Sat Aug  4 07:58:58 2007

# Generated by iptables-save v1.3.5 on Sat Aug  4 07:58:58 2007

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [43:3078]

:INBOUND - [0:0]

:LOG_FILTER - [0:0]

:LSI - [0:0]

:LSO - [0:0]

:NR - [0:0]

:OUTBOUND - [0:0]

[0:0] -A INPUT -s 127.0.0.1 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

[774:55412] -A INPUT -s 127.0.0.1 -p udp -j ACCEPT

[0:0] -A INPUT -s 192.168.1.103 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

[1853:297205] -A INPUT -s 192.168.1.103 -p udp -j ACCEPT

[0:0] -A INPUT -i lo -j ACCEPT

[0:0] -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT

[0:0] -A INPUT -p udp -m udp --dport 33434 -j ACCEPT

[0:0] -A INPUT -p icmp -m icmp --icmp-type 5 -m limit --limit 2/sec -j ACCEPT

[0:0] -A INPUT -p icmp -j LSI

[596:543032] -A INPUT -s ! 192.168.1.0/255.255.255.0 -i eth0 -j NR

[2:656] -A INPUT -d 255.255.255.255 -i eth0 -j DROP

[75:17277] -A INPUT -d 192.168.1.255 -j DROP

[0:0] -A INPUT -s 224.0.0.0/255.0.0.0 -j DROP

[0:0] -A INPUT -d 224.0.0.0/255.0.0.0 -j DROP

[0:0] -A INPUT -s 255.255.255.255 -j DROP

[0:0] -A INPUT -d 0.0.0.0 -j DROP

[0:0] -A INPUT -m state --state INVALID -j DROP

[0:0] -A INPUT -f -m limit --limit 10/min -j LSI

[756:553612] -A INPUT -i eth0 -j INBOUND

[0:0] -A INPUT -j LOG_FILTER

[0:0] -A INPUT -j LOG --log-prefix "Unknown Input" --log-level 6

[0:0] -A FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT

[0:0] -A FORWARD -p udp -m udp --dport 33434 -j ACCEPT

[0:0] -A FORWARD -p icmp -m icmp --icmp-type 5 -m limit --limit 2/sec -j ACCEPT

[0:0] -A FORWARD -p icmp -j LSI

[0:0] -A FORWARD -j LOG_FILTER

[0:0] -A FORWARD -j LOG --log-prefix "Unknown Forward" --log-level 6

[0:0] -A OUTPUT -s 192.168.1.103 -d 127.0.0.1 -p tcp -m tcp --dport 53 -j ACCEPT

[0:0] -A OUTPUT -s 192.168.1.103 -d 127.0.0.1 -p udp -m udp --dport 53 -j ACCEPT

[0:0] -A OUTPUT -s 192.168.1.103 -d 192.168.1.103 -p tcp -m tcp --dport 53 -j ACCEPT

[13:805] -A OUTPUT -s 192.168.1.103 -d 192.168.1.103 -p udp -m udp --dport 53 -j ACCEPT

[779:55997] -A OUTPUT -o lo -j ACCEPT

[0:0] -A OUTPUT -s 224.0.0.0/255.0.0.0 -j DROP

[0:0] -A OUTPUT -d 224.0.0.0/255.0.0.0 -j DROP

[0:0] -A OUTPUT -s 255.255.255.255 -j DROP

[0:0] -A OUTPUT -d 0.0.0.0 -j DROP

[0:0] -A OUTPUT -m state --state INVALID -j DROP

[2543:381163] -A OUTPUT -o eth0 -j OUTBOUND

[0:0] -A OUTPUT -j LOG_FILTER

[0:0] -A OUTPUT -j LOG --log-prefix "Unknown Output" --log-level 6

[644:532765] -A INBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

[81:16137] -A INBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

[26:4410] -A INBOUND -s 192.168.1.0/255.255.255.0 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.150 -j ACCEPT

[0:0] -A INBOUND -p tcp -m tcp --dport 8090 -j ACCEPT

[0:0] -A INBOUND -p udp -m udp --dport 8090 -j ACCEPT

[4:240] -A INBOUND -p tcp -m tcp --dport 20:21 -j ACCEPT

[0:0] -A INBOUND -p udp -m udp --dport 20:21 -j ACCEPT

[0:0] -A INBOUND -p tcp -m tcp --dport 443 -j ACCEPT

[0:0] -A INBOUND -p udp -m udp --dport 443 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.103 -p tcp -m tcp --dport 25 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.103 -p udp -m udp --dport 25 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 137:139 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.0/255.255.255.0 -p udp -m udp --dport 137:139 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 445 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.0/255.255.255.0 -p udp -m udp --dport 445 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 53 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.0/255.255.255.0 -p udp -m udp --dport 53 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 389 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.0/255.255.255.0 -p udp -m udp --dport 389 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 80 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.0/255.255.255.0 -p udp -m udp --dport 80 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 631 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.0/255.255.255.0 -p udp -m udp --dport 631 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.150 -p tcp -m tcp --dport 22 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.150 -p udp -m udp --dport 22 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.152 -p tcp -m tcp --dport 22 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.152 -p udp -m udp --dport 22 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.151 -p tcp -m tcp --dport 22 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.151 -p udp -m udp --dport 22 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.153 -p tcp -m tcp --dport 22 -j ACCEPT

[0:0] -A INBOUND -s 192.168.1.153 -p udp -m udp --dport 22 -j ACCEPT

[0:0] -A INBOUND -p tcp -m tcp --dport 8080 -j ACCEPT

[0:0] -A INBOUND -p udp -m udp --dport 8080 -j ACCEPT

[0:0] -A INBOUND -s 127.0.0.1 -p tcp -m tcp --dport 389 -j ACCEPT

[0:0] -A INBOUND -s 127.0.0.1 -p udp -m udp --dport 389 -j ACCEPT

[1:60] -A INBOUND -j LSI

[1:60] -A LSI -j LOG_FILTER

[1:60] -A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6

[1:60] -A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

[0:0] -A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6

[0:0] -A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP

[0:0] -A LSI -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6

[0:0] -A LSI -p icmp -m icmp --icmp-type 8 -j DROP

[0:0] -A LSI -m limit --limit 5/sec -j LOG --log-prefix "Inbound " --log-level 6

[0:0] -A LSI -j DROP

[0:0] -A LSO -j LOG_FILTER

[0:0] -A LSO -m limit --limit 5/sec -j LOG --log-prefix "Outbound " --log-level 6

[0:0] -A LSO -j REJECT --reject-with icmp-port-unreachable

[0:0] -A NR -s 0.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 1.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 2.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 5.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 7.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 10.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 23.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 27.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 31.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 36.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 37.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 39.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 41.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 42.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 49.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 50.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 73.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 74.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 75.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 76.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 77.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 78.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 79.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 89.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 90.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 91.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 92.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 93.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 94.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 95.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 96.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 97.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 98.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 99.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 100.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 101.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 102.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 103.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 104.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 105.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 106.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 107.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 108.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 109.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 110.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 111.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 112.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 113.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 114.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 115.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 116.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 117.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 118.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 119.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 120.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 121.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 122.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 123.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 124.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 125.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 126.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 127.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 169.254.0.0/255.255.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 172.16.0.0/255.240.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 173.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 174.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 175.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 176.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 177.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 178.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 179.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 180.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 181.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 182.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 183.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 184.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 185.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 186.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 187.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 189.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 190.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 192.0.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 192.168.0.0/255.255.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 197.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 198.18.0.0/255.254.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 223.0.0.0/255.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[0:0] -A NR -s 224.0.0.0/224.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j LSI

[1:164] -A OUTBOUND -p icmp -j ACCEPT

[565:74319] -A OUTBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

[30:4632] -A OUTBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

[1947:302048] -A OUTBOUND -j ACCEPT

COMMIT

----------

## brianrpsgt1

FIXED!

I found where the chain was that was blocking the site.  I safely deleted it and can now get to Google again.

Thanks Hu for pointing me in the right direction!

B

----------

## Hu

Firestarter is no longer in Portage.  Based on the rules shown, I think you would be best served by switching to some other tool.  I have not used Firestarter, so I cannot say how much of that rulebase is a manifestation of what it did and how much of it was driven by your configuration, but that is one of the ugliest and most convoluted rulesets I have ever seen.  Most incoming traffic matches the input rule that jumps to rule NR.  NR then matches large portions of the Internet address space and directs it to LSI, which drops the traffic.

In this case, I would recommend throwing out the Firestarter rules and starting over.  It will be faster than trying to make the Firestarter output sane.  If you will explain what you are trying to do, someone here can help you write a clean and functional ruleset.  In particular, we need to know what ports, if any, you want to expose to the outside world, the layout of your network, and whether there is any traffic that you want blocked.

----------

## brianrpsgt1

Hu ::

I definitely agree... starting over is the best way to go at this point.  Throwing out Firestarter.

Want to allow the following ::

All users on internal network out to the internet

I use squid and dansguardian

need to also open 8080, 8090, 21, 22, 25, 137-139, 443, 631

Thanks 

B

----------

## Hu

You did not supply enough information to complete this, but I will make an effort based on the available information:

```

#!/bin/sh

WAN_IFACE="eth0"

LAN_IFACE="eth1"

# Flush the tables.  This may print some errors, since many people do

# not have all the tables.

for table in nat mangle filter raw; do

   iptables -t "${table}" -F

   iptables -t "${table}" -X

done

# Reset all the chains to a known policy.

for chain in PREROUTING POSTROUTING OUTPUT; do

   iptables -t nat -P "${chain}" ACCEPT

done

for chain in PREROUTING INPUT FORWARD OUTPUT POSTROUTING; do

   iptables -t mangle -P "${chain}" ACCEPT

done

for chain in INPUT FORWARD OUTPUT; do

   iptables -t filter -P "${chain}" ACCEPT

done

# Silently discard incoming traffic which does not match any rule.

iptables -P INPUT DROP

# Silently refuse to forward traffic which does not match any rule.

iptables -P FORWARD DROP

# Accept loopback traffic.  Necessary to keep IP-over-localhost working.

# *** Do not remove unless you know _EXACTLY_ what you are doing. ***

iptables -A INPUT -i lo -j ACCEPT

# Accept traffic from connections which already existed.  Without any

# rules to permit incoming connections, this rule requires that this

# machine initiate all connections.

# Requires NETFILTER_XT_STATE_MATCH

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Accept incoming connections to TCP port 21.  This is needed if you

# want to run a TCP server on port 21 and have someone connect to it.

iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 137:139 -i "${LAN_IFACE}" -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 631 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 8090 -j ACCEPT

# Log any traffic which gets here, but use a limit modifier so that the

# logs do not fill with every single incoming dropped packet.  This is a

# non-terminating target, so traffic which matches it will continue on.

iptables -A INPUT -m limit -j LOG --log-tcp-options --log-ip-options 

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# LAN users have unrestricted access outbound.

iptables -A FORWARD -i "${LAN_IFACE}" -j ACCEPT

```

It is not clear whether you meant to expose the listed ports to both the LAN and WAN users.  I have exposed them to both, with the exception of the Windows SMB ports.  Exposing an SMB share to the Internet is almost always a bad idea, so I restricted that to LAN users only.

----------

