From: "Jörg Harmuth" <harmuth@mnemon.de>
To: netfilter@lists.netfilter.org
Subject: Re: cant ping fw
Date: Wed, 06 Jul 2005 13:37:25 +0200 [thread overview]
Message-ID: <42CBC275.2090003@mnemon.de> (raw)
In-Reply-To: <42CBBE57.5060802@eccotours.dyndns.org>
Brent Clark schrieb:
> Hi list
>
> I soo close to pulling my hair out on this
>
> I have a webserver with the following ruleset (default policy of drop)
>
> $IPT -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix
> "INVALID input: " --log-tcp-options --log-ip-options
> $IPT -t filter -A INPUT -m state --state INVALID -j DROP
> $IPT -t filter -A INPUT -d 217.199.186.255 -j DROP
> $IPT -t filter -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
> $IPT -t filter -A INPUT -p tcp --dport 20 -m state --state NEW -j ACCEPT
> $IPT -t filter -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
> $IPT -t filter -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
> #$IPT -t filter -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
> $IPT -N SSH_Brute_Force
> $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name
> SSH --set --rsource -j SSH_Brute_Force
> $IPT -A SSH_Brute_Force -s 196.36.10.114 -j ACCEPT
> $IPT -A SSH_Brute_Force -m recent ! --rcheck --seconds 60 --hitcount 3
> --name SSH --rsource -j ACCEPT
> $IPT -A SSH_Brute_Force -j LOG --log-prefix "SSH Brute Force Attempt: "
> $IPT -A SSH_Brute_Force -p tcp -j DROP
>
> $IPT -t filter -A INPUT -p tcp --dport 10000 -m state --state NEW -j ACCEPT
> $IPT -t filter -A INPUT -p tcp --dport 113 -j REJECT --reject-with
> icmp-host-unreachable
> $IPT -t filter -A INPUT -p tcp -m multiport --dport 135,137,139 -j DROP
> $IPT -t filter -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
> $IPT -t filter -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
> $IPT -t filter -A INPUT -p icmp --icmp-type destination-unreachable -j
> ACCEPT
> $IPT -t filter -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
> $IPT -t filter -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
> #$IPT -t filter -A INPUT -p icmp --icmp-type ! echo-request -j LOG
> $IPT -t filter -A INPUT -j LOG --log-prefix "[INPUT DROP]: "
> --log-tcp-options --log-ip-options
> $IPT -t filter -A INPUT -j DROP
>
> and for the likes on my I cant work out why I cant ping the machine
> even localhost, does not return anything
Is this really the complete rule set ? No rules in OUTPUT and FORWARD,
but policy set to DROP ? Anyway.
There is no rule for lo. Add
$IPT -<I | A> INPUT -i lo -j ACCEPT
$IPT -<I | A> OUTPUT -o lo -j ACCEPT
and for echo reply add
$IPT -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
This should work.
Have a nice time,
Joerg
next prev parent reply other threads:[~2005-07-06 11:37 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-07-06 11:19 cant ping fw Brent Clark
2005-07-06 11:22 ` Scott
2005-07-06 11:37 ` Jörg Harmuth [this message]
2005-07-06 12:04 ` Brent Clark
2005-07-06 12:29 ` Jörg Harmuth
2005-07-06 12:43 ` Brent Clark
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42CBC275.2090003@mnemon.de \
--to=harmuth@mnemon.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.