Very Computer

> The INPUT chain works fine, but from the server itself I cannot telnet
> to our mailserver on port 23, 25 or 110 but if I stop iptables I can.
> The mailserver is also on the 192,168.0.x network.
> [...]

> I am having a bit of a problem with setting up an iptables firewall on
> a machine with one interface. I have set up a few successfully with
> two but this one has me stumped.

> I have a server (192.169.0.x) which sits on a private network. eth0 is
> set to the above address. All I want to do is to allow a few services
> to be accessed on this server by the internal network and allow
> everything in the OUTPUT chain. I have set the OUTPUT chain default
> policy to ACCEPT, and the INPUT chain has a default policy of DROP and
> a few rules set up.

> The INPUT chain works fine, but from the server itself I cannot telnet
> to our mailserver on port 23, 25 or 110 but if I stop iptables I can.
> The mailserver is also on the 192,168.0.x network.

> Does anyone have any ideas as I am baffled? My guess is that it must
> be to do with just the one interface card, but I cannot work out why.
> All help gratefully received.....

> Many thanks,

> Steve Westrip

> > [...]
> > I have a server (192.169.0.x) which sits on a private network. eth0 is
> > set to the above address. All I want to do is to allow a few services
> > to be accessed on this server by the internal network and allow
> > everything in the OUTPUT chain. I have set the OUTPUT chain default
> > policy to ACCEPT, and the INPUT chain has a default policy of DROP and
> > a few rules set up.

> > The INPUT chain works fine, but from the server itself I cannot telnet
> > to our mailserver on port 23, 25 or 110 but if I stop iptables I can.
> > The mailserver is also on the 192,168.0.x network.
> > [...]

> Did you tell your INPUT chain to accept incoming traffic from a locally
> initiated connection? Something like

> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

> It should come last, after the rules for opening local daemon ports.

> Dragan

> > I am having a bit of a problem with setting up an iptables firewall on
> > a machine with one interface. I have set up a few successfully with
> > two but this one has me stumped.

> > I have a server (192.169.0.x) which sits on a private network. eth0 is
> > set to the above address. All I want to do is to allow a few services
> > to be accessed on this server by the internal network and allow
> > everything in the OUTPUT chain. I have set the OUTPUT chain default
> > policy to ACCEPT, and the INPUT chain has a default policy of DROP and
> > a few rules set up.

> > The INPUT chain works fine, but from the server itself I cannot telnet
> > to our mailserver on port 23, 25 or 110 but if I stop iptables I can.
> > The mailserver is also on the 192,168.0.x network.

> > Does anyone have any ideas as I am baffled? My guess is that it must
> > be to do with just the one interface card, but I cannot work out why.
> > All help gratefully received.....

> > Many thanks,

> > Steve Westrip

> Your problem is very likely *not* related to having a single interface.
> Your problem is likely to be related to problems with your INPUT rules.
> Use something like

> iptables -A INPUT -i eth0 -p tcp ! --syn \
> --sport $SERVRPORT -d 192.169.0.x --dport 1024:65535 -j ACCEPT

> where SERVPORT is defined to by the server's port number (e.g.,
> telnet=23, or, egads!, 0:1023). Also be aware that some services require
> authentication (113).

> The ! --syn means that you initiated the connection.

> Clyde

> > > I am having a bit of a problem with setting up an iptables firewall on
> > > a machine with one interface. I have set up a few successfully with
> > > two but this one has me stumped.

> > > I have a server (192.169.0.x) which sits on a private network. eth0 is
> > > set to the above address. All I want to do is to allow a few services
> > > to be accessed on this server by the internal network and allow
> > > everything in the OUTPUT chain. I have set the OUTPUT chain default
> > > policy to ACCEPT, and the INPUT chain has a default policy of DROP and
> > > a few rules set up.

> > > The INPUT chain works fine, but from the server itself I cannot telnet
> > > to our mailserver on port 23, 25 or 110 but if I stop iptables I can.
> > > The mailserver is also on the 192,168.0.x network.

> > > Does anyone have any ideas as I am baffled? My guess is that it must
> > > be to do with just the one interface card, but I cannot work out why.
> > > All help gratefully received.....

> > > Many thanks,

> > > Steve Westrip

> > Your problem is very likely *not* related to having a single interface.
> > Your problem is likely to be related to problems with your INPUT rules.
> > Use something like

> > iptables -A INPUT -i eth0 -p tcp ! --syn \
> > --sport $SERVRPORT -d 192.169.0.x --dport 1024:65535 -j ACCEPT

> > where SERVPORT is defined to by the server's port number (e.g.,
> > telnet=23, or, egads!, 0:1023). Also be aware that some services require
> > authentication (113).

> > The ! --syn means that you initiated the connection.

> > Clyde

> I entered the command from the other poster (yours hadn't arrived by
> then!!) and it now connects,, but it takes about 15-30 seconds to
> connect to an internal mailserver (or any other internal machine) via
> telnet and get a login prompt. This server has no access to a DNS
> server but the entry for mailserver is in the hosts file. It is worth
> noting that with iptables 'turned off' the connection is immediate.

> Any ideas?