From: Joel Newkirk <netfilter@newkirk.us>
To: Luis Fernando Barrera <luba@assist.com.gt>,
netfilter@lists.netfilter.org
Subject: Re: ICMP question
Date: Thu, 14 Nov 2002 20:59:43 -0500 [thread overview]
Message-ID: <200211142059.43778.netfilter@newkirk.us> (raw)
In-Reply-To: <NABBIDJPNCAGKGOFGHBFOELFPIAA.luba@assist.com.gt>
On Thursday 14 November 2002 01:28 pm, Luis Fernando Barrera wrote:
> iptables -A FORWARD -p ICMP -s 192.168.1.37 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -p ICMP -d 192.168.1.37 -m state --state ESTABLISHED -j
> ACCEPT
>
> I've been experiencing the problem that with this set of rules, suddenly,
> the PC in the LAN cannot "ping" any hosts in the Internet. To solve the
> problem
> iptables -A FORWARD -p ICMP -s 192.168.1.37 -j ACCEPT
> iptables -A FORWARD -p ICMP -d 192.168.1.37 -j ACCEPT
>
> These are the same rules, except that don't track the state of the
> connections...
>
> Could someone tell me what is the risk asociated to NOT to track the
> connections?
For the first rule just use the second version (without state match), but for
the second rule you want state as it will prevent any ICMP connections
originating anywhere else from being forwarded to that IP, assuming other
rules and policy don't ACCEPT it. (and assuming you don't want that...) The
new pair would then allow any ICMP through that came FROM 192.168.1.37, and
prevent any ICMP from going TO 192.168.1.37 UNLESS it is part of an
established connection, IE a response to a ping that was ACCEPTed by the
first rule.
Using the state matches can help you tighten things up considerably, and also
considerably reduce the number of rules you need to explicitly define. You
can allow a local machine out only to port 80 and 53, nothing back to it at
all, then accept ESTABLISHED/RELATED both ways and everything will work,
because the responses back to the local machine, and even ICMP messages
related to the connection, are matched based on state.
> One more question... Is it true that when you specify the ICMP protocol,
> iptables only
> applies the rule to the type 0?
Nope, unless it's a bug in a version other than 1.2.5, I just tested. (Ping
my ISP's DNS, nothing, added ICMP rule with no type specified, 18.2ms)
> thanks in advance
>
> Luis Fernando Barrera
> luba@assist.com.gt
j
next prev parent reply other threads:[~2002-11-15 1:59 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-11-13 14:34 intermittent and unreliable behaviour with iptables scripts Doug Watson
2002-11-13 15:16 ` Raymond Leach
2002-11-13 20:21 ` Joel Newkirk
2002-11-13 18:13 ` Dax Kelson
2002-11-14 18:28 ` ICMP question Luis Fernando Barrera
2002-11-14 21:47 ` Darrell F. Dieringer
2002-11-24 16:34 ` Nick Drage
2002-11-15 1:59 ` Joel Newkirk [this message]
2002-11-13 22:47 ` intermittent and unreliable behaviour with iptables scripts alex
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200211142059.43778.netfilter@newkirk.us \
--to=netfilter@newkirk.us \
--cc=luba@assist.com.gt \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.