* cant ping fw
@ 2005-07-06 11:19 Brent Clark
2005-07-06 11:22 ` Scott
2005-07-06 11:37 ` Jörg Harmuth
0 siblings, 2 replies; 6+ messages in thread
From: Brent Clark @ 2005-07-06 11:19 UTC (permalink / raw)
To: iptables
Hi list
I soo close to pulling my hair out on this
I have a webserver with the following ruleset (default policy of drop)
$IPT -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix
"INVALID input: " --log-tcp-options --log-ip-options
$IPT -t filter -A INPUT -m state --state INVALID -j DROP
$IPT -t filter -A INPUT -d 217.199.186.255 -j DROP
$IPT -t filter -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
$IPT -t filter -A INPUT -p tcp --dport 20 -m state --state NEW -j ACCEPT
$IPT -t filter -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
$IPT -t filter -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
#$IPT -t filter -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
$IPT -N SSH_Brute_Force
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name
SSH --set --rsource -j SSH_Brute_Force
$IPT -A SSH_Brute_Force -s 196.36.10.114 -j ACCEPT
$IPT -A SSH_Brute_Force -m recent ! --rcheck --seconds 60 --hitcount 3
--name SSH --rsource -j ACCEPT
$IPT -A SSH_Brute_Force -j LOG --log-prefix "SSH Brute Force Attempt: "
$IPT -A SSH_Brute_Force -p tcp -j DROP
$IPT -t filter -A INPUT -p tcp --dport 10000 -m state --state NEW -j ACCEPT
$IPT -t filter -A INPUT -p tcp --dport 113 -j REJECT --reject-with
icmp-host-unreachable
$IPT -t filter -A INPUT -p tcp -m multiport --dport 135,137,139 -j DROP
$IPT -t filter -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
$IPT -t filter -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
$IPT -t filter -A INPUT -p icmp --icmp-type destination-unreachable -j
ACCEPT
$IPT -t filter -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -t filter -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
#$IPT -t filter -A INPUT -p icmp --icmp-type ! echo-request -j LOG
$IPT -t filter -A INPUT -j LOG --log-prefix "[INPUT DROP]: "
--log-tcp-options --log-ip-options
$IPT -t filter -A INPUT -j DROP
and for the likes on my I cant work out why I cant ping the machine
even localhost, does not return anything
Kind Regards
Brent Clark
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: cant ping fw
2005-07-06 11:19 cant ping fw Brent Clark
@ 2005-07-06 11:22 ` Scott
2005-07-06 11:37 ` Jörg Harmuth
1 sibling, 0 replies; 6+ messages in thread
From: Scott @ 2005-07-06 11:22 UTC (permalink / raw)
To: iptables
Brent,
Have you tried specifying an interface or address
range explicitly?
such as....
$IPT -t filter -A INPUT -i lo -p icmp --icmp-type
echo-request -j ACCEPT
or....
$IPT -t filter -A INPUT -d 127.0.0.0/255.0.0.0 -p icmp
--icmp-type echo-request -j ACCEPT
perhaps even combining those.. good luck!
-Scott
--- Brent Clark <bclark@eccotours.dyndns.org> wrote:
> Hi list
>
> I soo close to pulling my hair out on this
>
> I have a webserver with the following ruleset
> (default policy of drop)
>
[snip]
> $IPT -t filter -A INPUT -p icmp --icmp-type
> source-quench -j ACCEPT
> $IPT -t filter -A INPUT -p icmp --icmp-type
> parameter-problem -j ACCEPT
> $IPT -t filter -A INPUT -p icmp --icmp-type
> destination-unreachable -j
> ACCEPT
> $IPT -t filter -A INPUT -p icmp --icmp-type
> time-exceeded -j ACCEPT
> $IPT -t filter -A INPUT -p icmp --icmp-type
> echo-request -j ACCEPT
> #$IPT -t filter -A INPUT -p icmp --icmp-type !
> echo-request -j LOG
> $IPT -t filter -A INPUT -j LOG --log-prefix "[INPUT
> DROP]: "
> --log-tcp-options --log-ip-options
> $IPT -t filter -A INPUT -j DROP
>
> and for the likes on my I cant work out why I cant
> ping the machine
> even localhost, does not return anything
__________________________________
Yahoo! Mail
Stay connected, organized, and protected. Take the tour:
http://tour.mail.yahoo.com/mailtour.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: cant ping fw
2005-07-06 11:19 cant ping fw Brent Clark
2005-07-06 11:22 ` Scott
@ 2005-07-06 11:37 ` Jörg Harmuth
2005-07-06 12:04 ` Brent Clark
1 sibling, 1 reply; 6+ messages in thread
From: Jörg Harmuth @ 2005-07-06 11:37 UTC (permalink / raw)
To: netfilter
Brent Clark schrieb:
> Hi list
>
> I soo close to pulling my hair out on this
>
> I have a webserver with the following ruleset (default policy of drop)
>
> $IPT -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix
> "INVALID input: " --log-tcp-options --log-ip-options
> $IPT -t filter -A INPUT -m state --state INVALID -j DROP
> $IPT -t filter -A INPUT -d 217.199.186.255 -j DROP
> $IPT -t filter -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
> $IPT -t filter -A INPUT -p tcp --dport 20 -m state --state NEW -j ACCEPT
> $IPT -t filter -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
> $IPT -t filter -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
> #$IPT -t filter -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
> $IPT -N SSH_Brute_Force
> $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name
> SSH --set --rsource -j SSH_Brute_Force
> $IPT -A SSH_Brute_Force -s 196.36.10.114 -j ACCEPT
> $IPT -A SSH_Brute_Force -m recent ! --rcheck --seconds 60 --hitcount 3
> --name SSH --rsource -j ACCEPT
> $IPT -A SSH_Brute_Force -j LOG --log-prefix "SSH Brute Force Attempt: "
> $IPT -A SSH_Brute_Force -p tcp -j DROP
>
> $IPT -t filter -A INPUT -p tcp --dport 10000 -m state --state NEW -j ACCEPT
> $IPT -t filter -A INPUT -p tcp --dport 113 -j REJECT --reject-with
> icmp-host-unreachable
> $IPT -t filter -A INPUT -p tcp -m multiport --dport 135,137,139 -j DROP
> $IPT -t filter -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
> $IPT -t filter -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
> $IPT -t filter -A INPUT -p icmp --icmp-type destination-unreachable -j
> ACCEPT
> $IPT -t filter -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
> $IPT -t filter -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
> #$IPT -t filter -A INPUT -p icmp --icmp-type ! echo-request -j LOG
> $IPT -t filter -A INPUT -j LOG --log-prefix "[INPUT DROP]: "
> --log-tcp-options --log-ip-options
> $IPT -t filter -A INPUT -j DROP
>
> and for the likes on my I cant work out why I cant ping the machine
> even localhost, does not return anything
Is this really the complete rule set ? No rules in OUTPUT and FORWARD,
but policy set to DROP ? Anyway.
There is no rule for lo. Add
$IPT -<I | A> INPUT -i lo -j ACCEPT
$IPT -<I | A> OUTPUT -o lo -j ACCEPT
and for echo reply add
$IPT -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
This should work.
Have a nice time,
Joerg
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: cant ping fw
2005-07-06 11:37 ` Jörg Harmuth
@ 2005-07-06 12:04 ` Brent Clark
2005-07-06 12:29 ` Jörg Harmuth
0 siblings, 1 reply; 6+ messages in thread
From: Brent Clark @ 2005-07-06 12:04 UTC (permalink / raw)
To: Jörg_Harmuth; +Cc: iptables
Jörg_Harmuth wrote:
> Is this really the complete rule set ? No rules in OUTPUT and FORWARD,
> but policy set to DROP ? Anyway.
> There is no rule for lo. Add
> $IPT -<I | A> INPUT -i lo -j ACCEPT
> $IPT -<I | A> OUTPUT -o lo -j ACCEPT
> and for echo reply add
> $IPT -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
> This should work.
> Have a nice time,
> Joerg
Hi Joerg
here is my OUTPUT
$IPT -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t filter -A OUTPUT -m state --state INVALID -j LOG --log-prefix
"INVALID output: " --log-tcp-options --log-ip-options
$IPT -t filter -A OUTPUT -m state --state INVALID -j DROP
$IPT -t filter -A OUTPUT -m state --state NEW -j ACCEPT
$IPT -t filter -A OUTPUT -j LOG --log-prefix "[OUTPUT DROP]: "
--log-tcp-options --log-ip-options
$IPT -t filter -A OUTPUT -j DROP
and for my lo
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: cant ping fw
2005-07-06 12:04 ` Brent Clark
@ 2005-07-06 12:29 ` Jörg Harmuth
2005-07-06 12:43 ` Brent Clark
0 siblings, 1 reply; 6+ messages in thread
From: Jörg Harmuth @ 2005-07-06 12:29 UTC (permalink / raw)
To: netfilter
Hi Brent,
Brent Clark schrieb:
> here is my OUTPUT
>
> $IPT -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -t filter -A OUTPUT -m state --state INVALID -j LOG --log-prefix
> "INVALID output: " --log-tcp-options --log-ip-options
> $IPT -t filter -A OUTPUT -m state --state INVALID -j DROP
> $IPT -t filter -A OUTPUT -m state --state NEW -j ACCEPT
> $IPT -t filter -A OUTPUT -j LOG --log-prefix "[OUTPUT DROP]: "
> --log-tcp-options --log-ip-options
> $IPT -t filter -A OUTPUT -j DROP
>
> and for my lo
>
> $IPT -A INPUT -i lo -j ACCEPT
> $IPT -A OUTPUT -o lo -j ACCEPT
Looking closer to your rules, I see these possibilities:
1.) For some reasons echo-request are considered INVALID. This should
show up in your logs.
2.) You ping 217.199.186.255 :)
3.) Your client doesn't find fw
4.) /proc/sys/net/ipv4/icmp_echo_ignore_all is set to 1
echo-replies are in state ESTABLISHED, so there is no problem with your
OUTPUT chain. I don't know the real reason, but I have a feeling, that
4.) is the best bet.
HTH and have nice time,
Joerg
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2005-07-06 12:43 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-07-06 11:19 cant ping fw Brent Clark
2005-07-06 11:22 ` Scott
2005-07-06 11:37 ` Jörg Harmuth
2005-07-06 12:04 ` Brent Clark
2005-07-06 12:29 ` Jörg Harmuth
2005-07-06 12:43 ` Brent Clark
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.