Actually, I had -p tcp in the live example.  I typed this into the e-mail
and probably left it out; had I left it out on the ipchains command, I
probably would have gotten an error.

On Tue, 26 Feb 2002, Patrick Fleming EA wrote:

> On Tue, 26 Feb 2002, Steve Holmes wrote:
>
> > I know, but as soon as I make default policy to DENY on the input chain,
> > all connectivity to the outside is lost.  Here was a basic set of rules at
> > my last test.
> > ipchains -P input DENY
> > ipchains -A input -i lo -j ACCEPT
> > ipchains -A input -i eth0 -j ACCEPT
> > ipchains -P forward DENY
> > ipchains -A forward -s 192.168.1.0/24 -j MASQ
> > ipchains -P output -j ACCEPT
> > Now at this point I tried adding something like
> > ipchains -A input -i eth1 -p ! -y --dport 1025:65535 -j ACCEPT
>
> Upon further thinking following a later response I *think* that you need
> to add tcp after the -p.
> ipchains -A input -i eth1 -p tcp ! -y --dport 1025:65535 -j ACCEPT
>
> It has been a while since I messed with ipchains. I was forced (my
> own fault) to upgrade to iptables after a kernel recompile. Tables, IMO,
> is far easier to configure once you get your mind wrapped around the
> changes. I have far fewer rules, tables is stateful and works beautifully.
>
>
> --
> Patrick Fleming, EA
> Licensed to represent taxpayers
> before Exam, Appeals, and Conference
> divisions of the IRS
>
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>