Re: Is dropping all ICMP traffic valid?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dax Kelson <dax@gurulabs.com>
To: alex <alex@bennee.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Is dropping all ICMP traffic valid?
Date: 12 Nov 2002 17:36:12 -0700	[thread overview]
Message-ID: <1037147772.25372.6.camel@aramis> (raw)
In-Reply-To: <1037143537.8023.4.camel@trent.nin>

On Tue, 2002-11-12 at 16:25, alex wrote:
> I'm still trying to figure out why I'm losing connection on my
> portforwarded webserver. One thing I have noticed is the gateway is
> dropping ICMP packets back to the webserver:
> 
> Nov 12 23:01:16 gateway kernel: [Dropped to-lan]IN= OUT=eth0
> SRC=192.168.1.250 DST=192.168.1.110 LEN=576 TOS=0x00 PREC=0xC0 TTL=64
> ID=13411 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.110 DST=213.155.151.41
> LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=8806 DF PROTO=TCP SPT=80 DPT=4776
> WINDOW=7504 RES=0x00 ACK URGP=0 ] MTU=1478 
> 
> which seem to be related to the web connection. I thought ICMP packets
> were not needed for general operation, and even if they where they would
> be covered by the nat and FORWARD tables not being dropped on the local
> process OUTPUT chain.
> 
> Any ideas?

Yes. This is a classic beginner/expert mistake.

ICMP *is* needed for general operation, specifically ICMP Type 3, Code
4.

This is needed for proper MTU path discovery (PMTU). Go google and learn
about this.

If you are doing stateful filtering, then "RELATED" will automatically
match those ICMP packets. For example as the first rule in your INPUT,
or OUTPUT, and/or FORWARD chain (depending on how you have stuff
configured) have:

iptables -A INPUT/FORWARD/OUTPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT

next prev parent reply	other threads:[~2002-11-13  0:36 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-11-12 23:25 Is dropping all ICMP traffic valid? alex
2002-11-13  0:36 ` Dax Kelson [this message]
2002-11-13  8:21   ` alex
2002-11-13  1:01 ` Antony Stone
2002-11-13  1:32   ` Peter E. Fry

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1037147772.25372.6.camel@aramis \
    --to=dax@gurulabs.com \
    --cc=alex@bennee.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.