cvs iptables question...

[Dominic <cvs@technoplaza.net>]

I am trying to connect to a cvs pserver, but whenever I try, my firewall 
confiruation blocks me from doing so.

I should be able to add a rule to the OUTPUT chain that allows 
connections on tcp protocol port 2401. I did this, but it doesn't work. 
I know it is iptables blocking me because when I flush all the rules, I 
can login to the cvs server.

When I tried Windows cvs with Sygate Personal Firewall and examined the 
traffic log, there was only one outgoing note to the CVS server, using 
tcp on port 2401. I don't know what Linux version would do that the 
Windows version isn't doing.

The following are my iptable rules. I have modeled it after the gentoo 
security guide tutorial.

  $IPTABLES -P FORWARD DROP
  $IPTABLES -P INPUT   DROP
  $IPTABLES -P OUTPUT  DROP

  $IPTABLES -N allowed-connection
  $IPTABLES -F allowed-connection
  $IPTABLES -A allowed-connection -m state --state ESTABLISHED,RELATED 
-j ACCEPT
  $IPTABLES -A allowed-connection -i eth0 -m limit -j LOG --log-prefix 
"Bad packet from eth0:"
  $IPTABLES -A allowed-connection -j DROP

  $IPTABLES -N icmp_allowed
  $IPTABLES -F icmp_allowed
  $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type 
time-exceeded -j ACCEPT
  $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type 
destination-unreachable -j ACCEPT
  $IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix "Bad ICMP traffic:"
  $IPTABLES -A icmp_allowed -p icmp -j DROP

  $IPTABLES -N allow-ssh-traffic-out
  $IPTABLES -F allow-ssh-traffic-out
  $IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT

  $IPTABLES -N allow-ftp-traffic-out
  $IPTABLES -F allow-ftp-traffic-out
  $IPTABLES -A allow-ftp-traffic-out -p tcp --dport ftp -j ACCEPT

  $IPTABLES -N allow-dns-traffic-out
  $IPTABLES -F allow-dns-traffic-out
  $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain -j 
ACCEPT
  $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain -j 
ACCEPT

  $IPTABLES -N allow-www-traffic-out
  $IPTABLES -F allow-www-traffic-out
  $IPTABLES -A allow-www-traffic-out -p tcp --dport www -j ACCEPT
  $IPTABLES -A allow-www-traffic-out -p tcp --dport https -j ACCEPT

  $IPTABLES -N allow-rsync-traffic-out
  $IPTABLES -F allow-rsync-traffic-out
  $IPTABLES -A allow-rsync-traffic-out -p tcp --dport rsync -j ACCEPT

  $IPTABLES -N allow-mail-traffic-out
  $IPTABLES -F allow-mail-traffic-out
  $IPTABLES -A allow-mail-traffic-out -p tcp --dport smtp -j ACCEPT
  $IPTABLES -A allow-mail-traffic-out -p tcp --dport pop3 -j ACCEPT

  $IPTABLES -A allow-cvs-traffic-out
  $IPTABLES -F allow-cvs-traffic-out
  $IPTABLES -A allow-cvs-traffic-out -p tcp --dport 2401 -j ACCEPT

  $IPTABLES -A INPUT -m state --state INVALID -j DROP
  $IPTABLES -A INPUT -j icmp_allowed
  $IPTABLES -A INPUT -i lo -j ACCEPT
  $IPTABLES -A INPUT -j allowed-connection

  $IPTABLES -A FORWARD -m state --state INVALID -j DROP
  $IPTABLES -A FORWARD -j icmp_allowed
  $IPTABLES -A FORWARD -o lo -j ACCEPT
  $IPTABLES -A FORWARD -j allow-www-traffic-out
  $IPTABLES -A FORWARD -j allowed-connection

  $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
  $IPTABLES -A OUTPUT -j icmp_allowed
  $IPTABLES -A OUTPUT -o lo -j ACCEPT
  $IPTABLES -A OUTPUT -j allow-ssh-traffic-out
  $IPTABLES -A OUTPUT -j allow-dns-traffic-out
  $IPTABLES -A OUTPUT -j allow-www-traffic-out
  $IPTABLES -A OUTPUT -j allow-ftp-traffic-out
  $IPTABLES -A OUTPUT -j allow-rsync-traffic-out
  $IPTABLES -A OUTPUT -j allow-mail-traffic-out
  $IPTABLES -A OUTPUT -j allow-cvs-traffic-out
  $IPTABLES -A OUTPUT -j allowed-connection

Does anyone have any suggestions?

--Dominic