Manish, There seems to be a slight problem with your rule definitions. Basically, you are allowing packets to go from the 2 Windoze PCs to the http (80) port of the Linux Box, but there is no rule that lets packet come back from the Linux Box to the Windoze PC - the reply packets are being dropped. So, for every host that you want to allow access to the http port, you should add two "symetric" rules:
iptables -A INPUT -p tcp -s 131.107.2.252 -d 131.107.2.253 80 -j ACCEPT iptables -A INPUT -p tcp -d 131.107.2.252 -s 131.107.2.253 80 -j ACCEPT This is the basic idea. You may want to investigate using the --state directive for fancier/more elegant configuration. About the connectivity being slow - can't be sure, but it can be because you have also blocked DNS queries on 131.107.2.253. Atleast SSH, by default, tries to resolve the hostname for a given IP, and if can't gives up after some time - and that causes a delay. This is only seen during the login time though. I am assuming here that the webserver is running on 131.107.2.253 BTW, that was cute - using Microsoft's IP addresses in your example. Regards, -Varun -- Mindframe Software & Services Pvt. Ltd., A-50, Sector-39, NOIDA, U.P. - 201301, India http://www.mindsw.com > hi > i have written a simple script.it is for > > FIREWALL PC IP 131.107.2.253 > 2 Windows PCs 131.107.2.252,131.107.2.5 > > ---------------- > iptables -P INPUT DROP > iptables -P OUTPUT DROP > iptables -P FORWARD DROP > > iptables -A INPUT -p tcp -s 131.107.2.253 -d 131.107.2.253 --dport 80 > -j ACCEPT iptables -A INPUT -p tcp -s 131.107.2.252 -d 131.107.2.253 > --dport 80 -j ACCEPT iptables -A INPUT -p tcp -s 131.107.2.5 -d > 131.107.2.253 --dport 80 -j ACCEPT ----------------------- > > but i was now able get conneted to my webserver from either of above > PCs > > then i tried following with Default drop in all chains > > --------------------- > iptables -A INPUT -p tcp -s 131.107.2.253 -d 131.107.2.253 -m mport > --port 80 -j ACCEPT iptables -A INPUT -p tcp -s 131.107.2.252 -d > 131.107.2.253 -m mport --port 80 -j ACCEPT iptables -A INPUT -p tcp -s > 131.107.2.5 -d 131.107.2.253 -m mport --port 80 -j ACCEPT > --------------------- > > in this case i was able to use http from 131.107.2.253 but not from > other 2 IPs > > then i tried following with Default drop in all chains > -------------------------- > iptables -A OUTPUT -j ACCEPT > iptables -A INPUT -p tcp -s 131.107.2.253 -d 131.107.2.253 -m mport > --port 80 -j ACCEPT iptables -A INPUT -p tcp -s 131.107.2.252 -d > 131.107.2.253 -m mport --port 80 -j ACCEPT iptables -A INPUT -p tcp -s > 131.107.2.5 -d 131.107.2.253 -m mport --port 80 -j ACCEPT > ------------------------- > > now i was able to access port 80 from all machines > > then i did same for ssh and mysql > > but connectivty became drastically slow > it took few minutes to connect to database thru my C programs > > pls help > --- > Manish Kumar Arya > -------------------------------------------- > While universe > { > Object emerges from zero, tends to infinity and finally end in zero. > } > -------------------------------------------- > > > > > > > 2,000,000,000 Web Pages--you only need 1. Save time with My Lycos. > http://my.lycos.com > > ================================================ > To subscribe, send email to [EMAIL PROTECTED] with subscribe in > subject header To unsubscribe, send email to [EMAIL PROTECTED] > with unsubscribe in subject header Archives are available at > http://www.mail-archive.com/ilugd%40wpaa.org > ================================================= ================================================ To subscribe, send email to [EMAIL PROTECTED] with subscribe in subject header To unsubscribe, send email to [EMAIL PROTECTED] with unsubscribe in subject header Archives are available at http://www.mail-archive.com/ilugd%40wpaa.org =================================================
