[ale] ICQ and iptables

Kevin Krumwiede krum at smyrnacable.net
Tue Apr 30 19:45:59 EDT 2002


I'm having a bit of trouble with ICQ and my iptables firewall.  I ran
into this before, but now that Linux is my full-time desktop I need to
find a solution.

When I first log on everything is OK.  However, after about two minutes
nobody can see what I type.  I currently use GAIM, but the same thing
used to happen with GnomeICU.

I found this thread: 

http://lists.samba.org/pipermail/netfilter/2000-June/004456.html

An earlier post in the same thread mentions something about opening port
4000.  There are also some code snippets I didn't look at too closely. 
Before I try any of that advice, I'd like to understand better what it
does.

In the first place, what would any packets be doing in the FORWARD
chain?  Do I need to allow for forwarding between lo and eth0 or
something?  Right now my FORWARD chain is empty with a policy of DROP. 
ip_conntrack and ip_conntrack_ftp seem to be working, but some web sites
(always the same ones) send me more packet after ip_conntrack clears the
connection from the established/related list.  I'm wondering if that's
not related somehow.  Maybe my firewall rules are bad.

Thanks,
Krum

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOGACCEPT - [0:0]
:LOGDROP - [0:0]
# allow existing connections
[0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
# x is all screwy without this
[0:0] -A INPUT -i lo -j ACCEPT 
# ignore the constant dhcp traffic on my cable segment
[0:0] -A INPUT -p udp -m udp --sport 67 --dport 68 -j DROP 
# ignore whatever my cable modem is trying to do to me
[0:0] -A INPUT -s 192.168.100.1 -j DROP 
# ignore the cruft from dead browser sessions
[0:0] -A INPUT -p tcp -m tcp --sport 80 --dport 1024:65535 -j DROP 
# log all other incoming packets
[0:0] -A INPUT -j LOGDROP 
# log all outgoing tcp connections
[0:0] -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOGACCEPT 
[0:0] -A LOGACCEPT -j LOG --log-prefix "firewall out: " --log-level 6 
[0:0] -A LOGACCEPT -j ACCEPT 
[0:0] -A LOGDROP -j LOG --log-prefix "firewall in (dropped): "
--log-level 6 
[0:0] -A LOGDROP -j DROP
COMMIT


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list