Ping only inside my network

Ping only inside my network

[Venom]

Hello,

  First time to write, i hope i do it the right way :) i want to be able 
to make pings
inside my network. At the moment i am trying to ping my linux box from an
windows terminal and i get request timed out.

Any solutions?
Thanks

RE: Ping only inside my network

[Rob Sterenborg]

netfilter-bounces@lists.netfilter.org wrote:

>   First time to write, i hope i do it the right way :) i want

Welcome :o)

> to be able to make pings inside my network. At the moment i
> am trying to ping my linux box from an windows terminal and i get
> request timed out. 

You don't give much information about what you've done already, but you
have probably set the policy for the INPUT chain to DROP so it will drop
any packet for which NF has no rule to accept it.
In that case you'll have to accept ICMP traffic from your LAN :
iptables -A INPUT -i $IF_LAN -s $IP_LAN -p icmp -j ACCEPT

If you have also set policy to DROP for the OUTPUT chain, you'll want to
be able to send the reply packets :
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


Gr,
Rob

RE: Ping only inside my network

[R. DuFresne]

On Mon, 20 Dec 2004, Rob Sterenborg wrote:

> netfilter-bounces@lists.netfilter.org wrote:
> 
> >   First time to write, i hope i do it the right way :) i want
> 
> Welcome :o)
> 
> > to be able to make pings inside my network. At the moment i
> > am trying to ping my linux box from an windows terminal and i get
> > request timed out. 
> 
> You don't give much information about what you've done already, but you
> have probably set the policy for the INPUT chain to DROP so it will drop
> any packet for which NF has no rule to accept it.
> In that case you'll have to accept ICMP traffic from your LAN :
> iptables -A INPUT -i $IF_LAN -s $IP_LAN -p icmp -j ACCEPT
> 
> If you have also set policy to DROP for the OUTPUT chain, you'll want to
> be able to send the reply packets :
> iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 

Doesnt; this also require a FORWARD rule for other systems inside the lan
to talk to one another>  And might not the OUTPUT rulke include NEW,
incase he wants replies from the FW tself to be returned?

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                        -Tom Robins <Still Life With Woodpecker>

RE: Ping only inside my network

[Rob Sterenborg]

netfilter-bounces@lists.netfilter.org wrote:
>>> to be able to make pings inside my network. At the moment i am
>>> trying to ping my linux box from an windows terminal and i get
>>> request timed out.
>> 
>> You don't give much information about what you've done already, but
>> you have probably set the policy for the INPUT chain to DROP so it
>> will drop any packet for which NF has no rule to accept it.
>> In that case you'll have to accept ICMP traffic from your LAN :
>> iptables -A INPUT -i $IF_LAN -s $IP_LAN -p icmp -j ACCEPT
>> 
>> If you have also set policy to DROP for the OUTPUT chain, you'll want
>> to be able to send the reply packets :
>> iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>> 
> 
> Doesnt; this also require a FORWARD rule for other systems
> inside the lan to talk to one another

AFAIK hosts inside the LAN would ping directly to each other, not
through the firewall, so I don't see reason to include such a rule in
the FORWARD chain.

> And might not the OUTPUT rulke include NEW, incase he wants replies
> from the FW tself to be returned? 

If a ping request comes in (state NEW), I suppose the ping-reply would
have state ESTABLISHED which will be accepted with the second rule
above.
He would however require some rule in the OUTPUT chain (if policy set to
DROP) if he wants to be able so make connections *from* the firewall
(state NEW).


Gr,
Rob

RE: Ping only inside my network

[Jose Maria Lopez]

El lun, 20 de 12 de 2004 a las 08:34, Rob Sterenborg escribió:
> You don't give much information about what you've done already, but you
> have probably set the policy for the INPUT chain to DROP so it will drop
> any packet for which NF has no rule to accept it.
> In that case you'll have to accept ICMP traffic from your LAN :
> iptables -A INPUT -i $IF_LAN -s $IP_LAN -p icmp -j ACCEPT
> 
> If you have also set policy to DROP for the OUTPUT chain, you'll want to
> be able to send the reply packets :
> iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> 
> Gr,
> Rob

It would be even better if he only accepts the echo-request and
echo-reply packets. That will allow pings but will deny other
kind of icmp packets that could be harmful.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"