K-Egg@gmx.de wrote:
Mir scheint, dass du dadurch, dass du nur established zulässt, keine noch nicht vorhandene verbindung ausgehen kann. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
(I understand the above advice to be "you are allowing already established connections, but you are not accepting new connections." Bilingual folks feel free to correct me if I'm wrong.)
This is true, but both for security and to be explicit in what you mean, you should be specifing the incoming interface for these rules. Basically, accept traffic that originates from your internal network, but only existing connections (who were originated from the internal network) from the "untrusted" interface(s).
I can't remember your script from before, but I'll use the following as an example:
int_if=eth0 # (internal interface) ext_if=eth1 # (external interface) iptables -A INPUT -i $int_if -j ACCEPT iptables -A INPUT -i $ext_if -m state \ --state ESTABLISHED,RELATED -j ACCEPTAlso, it's not a bad idea to explicitly state your internal network (i.e. "-s 192.168.0.0/24") for the first rule above. Finally, I recommend extra paranoid policies:
iptables -P INPUT REJECT iptables -P FORWARD REJECT iptables -P OUTPUT REJECT(However, since your traffic wasn't working, you may have already implemented those rules and just didn't post them.)
I don't know why your DNS resolution worked, though. The only reason I can imagine is that you're using your firewall/router as a name resolver for your internal machines and the firewall's traffic is able to go unhindered.
mickey