"gorf" writes:
> I want to allow all outbound traffic, allow all inbound traffic from subnets
> x.x.x.x/x and y.y.y.y/y, allow all inbound traffic on tcp port xxxxx, and
> block all other inbound traffic.
> Shouldn't this just be 4 simple rules?
> iptables -A INPUT -p tcp --dport xxxxx -j ACCEPT
> iptables -A INPUT -s x.x.x.x/x -j ACCEPT
> iptables -A INPUT -s y.y.y.y/y -j ACCEPT
> iptables -A INPUT -j REJECT
> This wouldn't let me communicate with any machines outside of the two
> subnets I specified. I'm thinking that it's not allowing ANYTHING inbound,
> even communications from computers that I contacted first

Yup, that's exactly what it's doing. What you want to do is add a
rule to allow established and related connections. Just before the
REJECT rule, add:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

This assumes that your kernel has been compiled with connection
tracking and state matching. In addition, some protocols (like IRC
and FTP) require special helper kernel modules (ip_conntrack_irc.o and
ip_conntrack_ftp.o) to be loaded to completely support tracking them
in this manner.