On Tue, 26 Feb 2002, Steve Holmes wrote:

> I know, but as soon as I make default policy to DENY on the input chain,
> all connectivity to the outside is lost.  Here was a basic set of rules at
> my last test.
> ipchains -P input DENY
> ipchains -A input -i lo -j ACCEPT
> ipchains -A input -i eth0 -j ACCEPT
> ipchains -P forward DENY
> ipchains -A forward -s 192.168.1.0/24 -j MASQ
> ipchains -P output -j ACCEPT
> Now at this point I tried adding something like
> ipchains -A input -i eth1 -p ! -y --dport 1025:65535 -j ACCEPT

Upon further thinking following a later response I *think* that you need 
to add tcp after the -p.
ipchains -A input -i eth1 -p tcp ! -y --dport 1025:65535 -j ACCEPT

It has been a while since I messed with ipchains. I was forced (my 
own fault) to upgrade to iptables after a kernel recompile. Tables, IMO, 
is far easier to configure once you get your mind wrapped around the 
changes. I have far fewer rules, tables is stateful and works beautifully.


-- 
Patrick Fleming, EA
Licensed to represent taxpayers
before Exam, Appeals, and Conference 
divisions of the IRS