I've tried to make my MSN client work with iptables, but it doesn't. My policy is:

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

then, knowing that MSN uses the 1863 port for chat and the 6891-6900 ones for file transfers, I did:

iptables -A INPUT -i eth0 -p tcp --sport 1863 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 6891 -j ACCEPT

etc, but I only get this message: Unable to open socket. What command should I add?

There are a couple of things that would be handy to know:

1. Are you trying to connect to Messenger from the same machine you have Iptables on, or are you trying to do it through a Linux Firewall?

2. Have you got any other rules specified other than what you have mentioned? eg. Is any other traffic allowed in other than the Messenger traffic?

Try running tail -f /var/log/messages whilst you are trying to connect to messenger.

One good rule to try is to use the "State" matching filter. If used with ESTABLISHED, RELATED, it will only allow Established (connections that you make) and related (connections that are related to existing connections).

iptables -A INPUT -i <yourInterface> -m state --state ESTABLISHED,RELATED -j ACCEPT

www.iptables.org <--- Make sure ya read the Filter Howto!

Cya round
Jinx

Filtering on the remote port with --sport is almost completely pointless since you don't control it. It's only of use if you're filtering access from a controlled machine on your network, redirecting traffic or blocking access to malicious programs and you know the port they use (mostly with DDoS attacks on common ports such as a web-browser port... and we all know who's responsible for that spate of attacks!)

You should do the following:

iptables -A INPUT -i eth0 -p tcp --dport 1863 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 6891:6900 -j ACCEPT

I'll check what ports I've left opened later. I need to rehash the firewall script anyway to do the --state ESTABLISHED stuff anyway and I'll post back. At the moment, I'm at work and not in front of a Linux machine.

James