cant ping fw

All of lore.kernel.org
 help / color / mirror / Atom feed

* cant ping fw
@ 2005-07-06 11:19 Brent Clark
  2005-07-06 11:22 ` Scott
  2005-07-06 11:37 ` Jörg Harmuth
  0 siblings, 2 replies; 6+ messages in thread
From: Brent Clark @ 2005-07-06 11:19 UTC (permalink / raw)
  To: iptables

Hi list

I soo close to pulling my hair out on this

I have a webserver with the following ruleset (default policy of drop)

$IPT -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix 
"INVALID input: " --log-tcp-options --log-ip-options
$IPT -t filter -A INPUT -m state --state INVALID -j DROP
$IPT -t filter -A INPUT -d 217.199.186.255 -j DROP
$IPT -t filter -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
$IPT -t filter -A INPUT -p tcp --dport 20 -m state --state NEW -j ACCEPT
$IPT -t filter -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
$IPT -t filter -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
#$IPT -t filter -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
$IPT -N SSH_Brute_Force
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name 
SSH --set --rsource -j SSH_Brute_Force
$IPT -A SSH_Brute_Force -s 196.36.10.114 -j ACCEPT
$IPT -A SSH_Brute_Force -m recent ! --rcheck --seconds 60 --hitcount 3 
--name SSH --rsource -j ACCEPT
$IPT -A SSH_Brute_Force -j LOG --log-prefix "SSH Brute Force Attempt:  "
$IPT -A SSH_Brute_Force -p tcp -j DROP

$IPT -t filter -A INPUT -p tcp --dport 10000 -m state --state NEW -j ACCEPT
$IPT -t filter -A INPUT -p tcp --dport 113 -j REJECT --reject-with 
icmp-host-unreachable
$IPT -t filter -A INPUT -p tcp -m multiport --dport 135,137,139 -j DROP
$IPT -t filter -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
$IPT -t filter -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
$IPT -t filter -A INPUT -p icmp --icmp-type destination-unreachable -j 
ACCEPT
$IPT -t filter -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -t filter -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
#$IPT -t filter -A INPUT -p icmp --icmp-type ! echo-request -j LOG
$IPT -t filter -A INPUT -j LOG --log-prefix "[INPUT  DROP]: " 
--log-tcp-options --log-ip-options
$IPT -t filter -A INPUT -j DROP

and for the likes on my I cant work out why I cant ping the machine
even localhost, does not return anything

Kind Regards
Brent Clark


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: cant ping fw
  2005-07-06 11:19 cant ping fw Brent Clark
@ 2005-07-06 11:22 ` Scott
  2005-07-06 11:37 ` Jörg Harmuth
  1 sibling, 0 replies; 6+ messages in thread
From: Scott @ 2005-07-06 11:22 UTC (permalink / raw)
  To: iptables

Brent,

Have you tried specifying an interface or address
range explicitly?

such as....

$IPT -t filter -A INPUT -i lo -p icmp --icmp-type
echo-request -j ACCEPT

or....

$IPT -t filter -A INPUT -d 127.0.0.0/255.0.0.0 -p icmp
--icmp-type echo-request -j ACCEPT

perhaps even combining those.. good luck!

-Scott

--- Brent Clark <bclark@eccotours.dyndns.org> wrote:

> Hi list
> 
> I soo close to pulling my hair out on this
> 
> I have a webserver with the following ruleset
> (default policy of drop)
> 
[snip]
> $IPT -t filter -A INPUT -p icmp --icmp-type
> source-quench -j ACCEPT
> $IPT -t filter -A INPUT -p icmp --icmp-type
> parameter-problem -j ACCEPT
> $IPT -t filter -A INPUT -p icmp --icmp-type
> destination-unreachable -j 
> ACCEPT
> $IPT -t filter -A INPUT -p icmp --icmp-type
> time-exceeded -j ACCEPT
> $IPT -t filter -A INPUT -p icmp --icmp-type
> echo-request -j ACCEPT
> #$IPT -t filter -A INPUT -p icmp --icmp-type !
> echo-request -j LOG
> $IPT -t filter -A INPUT -j LOG --log-prefix "[INPUT 
> DROP]: " 
> --log-tcp-options --log-ip-options
> $IPT -t filter -A INPUT -j DROP
> 
> and for the likes on my I cant work out why I cant
> ping the machine
> even localhost, does not return anything




		
__________________________________ 
Yahoo! Mail 
Stay connected, organized, and protected. Take the tour: 
http://tour.mail.yahoo.com/mailtour.html 



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: cant ping fw
  2005-07-06 11:19 cant ping fw Brent Clark
  2005-07-06 11:22 ` Scott
@ 2005-07-06 11:37 ` Jörg Harmuth
  2005-07-06 12:04   ` Brent Clark
  1 sibling, 1 reply; 6+ messages in thread
From: Jörg Harmuth @ 2005-07-06 11:37 UTC (permalink / raw)
  To: netfilter

Brent Clark schrieb:
> Hi list
> 
> I soo close to pulling my hair out on this
> 
> I have a webserver with the following ruleset (default policy of drop)
> 
> $IPT -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix
> "INVALID input: " --log-tcp-options --log-ip-options
> $IPT -t filter -A INPUT -m state --state INVALID -j DROP
> $IPT -t filter -A INPUT -d 217.199.186.255 -j DROP
> $IPT -t filter -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
> $IPT -t filter -A INPUT -p tcp --dport 20 -m state --state NEW -j ACCEPT
> $IPT -t filter -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
> $IPT -t filter -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
> #$IPT -t filter -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
> $IPT -N SSH_Brute_Force
> $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name
> SSH --set --rsource -j SSH_Brute_Force
> $IPT -A SSH_Brute_Force -s 196.36.10.114 -j ACCEPT
> $IPT -A SSH_Brute_Force -m recent ! --rcheck --seconds 60 --hitcount 3
> --name SSH --rsource -j ACCEPT
> $IPT -A SSH_Brute_Force -j LOG --log-prefix "SSH Brute Force Attempt:  "
> $IPT -A SSH_Brute_Force -p tcp -j DROP
> 
> $IPT -t filter -A INPUT -p tcp --dport 10000 -m state --state NEW -j ACCEPT
> $IPT -t filter -A INPUT -p tcp --dport 113 -j REJECT --reject-with
> icmp-host-unreachable
> $IPT -t filter -A INPUT -p tcp -m multiport --dport 135,137,139 -j DROP
> $IPT -t filter -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
> $IPT -t filter -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
> $IPT -t filter -A INPUT -p icmp --icmp-type destination-unreachable -j
> ACCEPT
> $IPT -t filter -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
> $IPT -t filter -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
> #$IPT -t filter -A INPUT -p icmp --icmp-type ! echo-request -j LOG
> $IPT -t filter -A INPUT -j LOG --log-prefix "[INPUT  DROP]: "
> --log-tcp-options --log-ip-options
> $IPT -t filter -A INPUT -j DROP
> 
> and for the likes on my I cant work out why I cant ping the machine
> even localhost, does not return anything

Is this really the complete rule set ? No rules in OUTPUT and FORWARD,
but policy set to DROP ? Anyway.

There is no rule for lo. Add

$IPT -<I | A> INPUT -i lo -j ACCEPT
$IPT -<I | A> OUTPUT -o lo -j ACCEPT

and for echo reply add

$IPT -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

This should work.

Have a nice time,

Joerg



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: cant ping fw
  2005-07-06 11:37 ` Jörg Harmuth
@ 2005-07-06 12:04   ` Brent Clark
  2005-07-06 12:29     ` Jörg Harmuth
  0 siblings, 1 reply; 6+ messages in thread
From: Brent Clark @ 2005-07-06 12:04 UTC (permalink / raw)
  To: Jörg_Harmuth; +Cc: iptables

Jörg_Harmuth wrote:
> Is this really the complete rule set ? No rules in OUTPUT and FORWARD,
> but policy set to DROP ? Anyway.
> There is no rule for lo. Add
> $IPT -<I | A> INPUT -i lo -j ACCEPT
> $IPT -<I | A> OUTPUT -o lo -j ACCEPT
> and for echo reply add
> $IPT -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
> This should work.
> Have a nice time,
> Joerg

Hi Joerg

here is my OUTPUT

$IPT -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t filter -A OUTPUT -m state --state INVALID -j LOG --log-prefix 
"INVALID output: " --log-tcp-options --log-ip-options
$IPT -t filter -A OUTPUT -m state --state INVALID -j DROP
$IPT -t filter -A OUTPUT -m state --state NEW -j ACCEPT
$IPT -t filter -A OUTPUT -j LOG --log-prefix "[OUTPUT DROP]: " 
--log-tcp-options --log-ip-options
$IPT -t filter -A OUTPUT -j DROP

and for my lo

$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT




^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: cant ping fw
  2005-07-06 12:04   ` Brent Clark
@ 2005-07-06 12:29     ` Jörg Harmuth
  2005-07-06 12:43       ` Brent Clark
  0 siblings, 1 reply; 6+ messages in thread
From: Jörg Harmuth @ 2005-07-06 12:29 UTC (permalink / raw)
  To: netfilter

Hi Brent,

Brent Clark schrieb:

> here is my OUTPUT
> 
> $IPT -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -t filter -A OUTPUT -m state --state INVALID -j LOG --log-prefix
> "INVALID output: " --log-tcp-options --log-ip-options
> $IPT -t filter -A OUTPUT -m state --state INVALID -j DROP
> $IPT -t filter -A OUTPUT -m state --state NEW -j ACCEPT
> $IPT -t filter -A OUTPUT -j LOG --log-prefix "[OUTPUT DROP]: "
> --log-tcp-options --log-ip-options
> $IPT -t filter -A OUTPUT -j DROP
> 
> and for my lo
> 
> $IPT -A INPUT -i lo -j ACCEPT
> $IPT -A OUTPUT -o lo -j ACCEPT

Looking closer to your rules, I see these possibilities:

1.) For some reasons echo-request are considered INVALID. This should
    show up in your logs.
2.) You ping 217.199.186.255 :)
3.) Your client doesn't find fw
4.) /proc/sys/net/ipv4/icmp_echo_ignore_all is set to 1

echo-replies are in state ESTABLISHED, so there is no problem with your
OUTPUT chain. I don't know the real reason, but I have a feeling, that
4.) is the best bet.

HTH and have nice time,

Joerg



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: cant ping fw
  2005-07-06 12:29     ` Jörg Harmuth
@ 2005-07-06 12:43       ` Brent Clark
  0 siblings, 0 replies; 6+ messages in thread
From: Brent Clark @ 2005-07-06 12:43 UTC (permalink / raw)
  To: Jörg_Harmuth; +Cc: netfilter

Jörg_Harmuth wrote:
> Hi Brent,

> 4.) /proc/sys/net/ipv4/icmp_echo_ignore_all is set to 1

AAHH you the man

[root@ns root]# cat /proc/sys/net/ipv4/icmp_echo_ignore_all
1
[root@ns root]#

oops
thanks for this

Brent




^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2005-07-06 12:43 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-07-06 11:19 cant ping fw Brent Clark
2005-07-06 11:22 ` Scott
2005-07-06 11:37 ` Jörg Harmuth
2005-07-06 12:04   ` Brent Clark
2005-07-06 12:29     ` Jörg Harmuth
2005-07-06 12:43       ` Brent Clark

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.