> # Firewall configuration written by system-config-securitylevel > # Manual customization of this file is not recommended. ugh...fwbuilder crap...oh well. > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :RH-Firewall-1-INPUT - [0:0] > -A INPUT -j RH-Firewall-1-INPUT > -A FORWARD -j RH-Firewall-1-INPUT > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT > -A RH-Firewall-1-INPUT -p 50 -j ACCEPT > -A RH-Firewall-1-INPUT -p 51 -j ACCEPT > -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT > -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT Seriously? Them two are redundant since you already accept everything on lo. > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j > ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j > ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j > ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j > ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j > ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j > ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j > ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j > ACCEPT > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > COMMIT Hmm...you do not appear to have a blanket accept for your internal interface. What services are supposed to be open to the internal lan? > > >> 'netstat -ntlp' > > Active Internet connections (only servers) > Proto Recv-Q Send-Q Local Address Foreign Address > State PID/Program name > tcp 0 0 0.0.0.0:20000 0.0.0.0:* > LISTEN 3580/perl > tcp 0 0 127.0.0.1:2208 0.0.0.0:* > LISTEN 2960/hpiod > tcp 0 0 0.0.0.0:3306 0.0.0.0:* > LISTEN 3138/mysqld > tcp 0 0 127.0.0.1:3310 0.0.0.0:* > LISTEN 3049/clamd > tcp 0 0 0.0.0.0:111 0.0.0.0:* > LISTEN 2667/portmap > tcp 0 0 0.0.0.0:6000 0.0.0.0:* > LISTEN 3958/X > tcp 0 0 0.0.0.0:10000 0.0.0.0:* > LISTEN 3588/perl > tcp 0 0 192.168.1.101:53 0.0.0.0:* > LISTEN 2639/named > tcp 0 0 127.0.0.1:53 0.0.0.0:* > LISTEN 2639/named > tcp 0 0 127.0.0.1:631 0.0.0.0:* > LISTEN 2980/cupsd > tcp 0 0 0.0.0.0:25 0.0.0.0:* > LISTEN 3218/sendmail: acce > tcp 0 0 127.0.0.1:953 0.0.0.0:* > LISTEN 2639/named > tcp 0 0 0.0.0.0:766 0.0.0.0:* > LISTEN 2704/rpc.statd > tcp 0 0 0.0.0.0:3551 0.0.0.0:* > LISTEN 3032/apcupsd > tcp 0 0 127.0.0.1:2207 0.0.0.0:* > LISTEN 2965/python > tcp 0 0 :::80 :::* > LISTEN 5464/httpd > tcp 0 0 :::6000 :::* > LISTEN 3958/X > tcp 0 0 ::1:953 :::* > LISTEN 2639/named > tcp 0 0 :::443 :::* > LISTEN 5464/httpd > > Not sure what all this means. Hope someone can. > You should be able to connect to the web service from the internal lan using the internal ip and also to the smtp service. But I guess your web service is probably apache doing proxy work unless you have a different meaning to 'internal boxes can access the internet'... What services were internal boxes supposed to be able to access again? webmin? mysql? dns?