* Ping With Iptables.
@ 2002-10-29 13:51 Hélio Dubeux
2002-10-29 15:34 ` Maciej Soltysiak
0 siblings, 1 reply; 5+ messages in thread
From: Hélio Dubeux @ 2002-10-29 13:51 UTC (permalink / raw)
To: netfilter
Hi, everybody. This is my first message here and i hope you can help me.
I have a Linux Box as a Gateway of my network. And i want do allow internal
machines to ping the Internet but i also want to block external machines to
ping my Gateway. Is this is possible plz send me something... Thanx.
----------------------
Hélio Dubeux Neto
_________________________________________________________________
MSN Hotmail, o maior webmail do Brasil. http://www.hotmail.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Ping With Iptables.
@ 2002-10-29 14:54 Walther
0 siblings, 0 replies; 5+ messages in thread
From: Walther @ 2002-10-29 14:54 UTC (permalink / raw)
To: Hélio Dubeux; +Cc: netfilter
set your default policy to drop and allow forwarding icmp-echo-request and
icmp-echo-reply from your local lan:
<--snip-->
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A FORWARD -i $INT -o $EXT -p icmp --icmp-type echo-request -j
ACCEPT
iptables -A FORWARD -o $EXT -i $INT -p icmp --icmp-type echo-reply -j
ACCEPT
<--snip-->
this should work
Best Regards,
MfG.
Stefan Walther
stefan_walther@gehag-dsk.de
dienst.: +4930/89786448
Funk: +49172/3943961
http://www.gehag-dsk.de
--------------------------------------------------------------
Linux/UNIX is like an Indian Tipi:
No Windows, no Gates and Apache inside.
Outgoing Mail is certified mistake-free.
Examined by DOGMATIC infallibility system.
Version 6.04
Hélio Dubeux <hdubeux@hotmail.com>
Sent by: netfilter-admin@lists.netfilter.org
29.10.2002 14:51
To: netfilter@lists.netfilter.org
cc:
Subject: Ping With Iptables.
Hi, everybody. This is my first message here and i hope you can help me.
I have a Linux Box as a Gateway of my network. And i want do allow
internal
machines to ping the Internet but i also want to block external machines
to
ping my Gateway. Is this is possible plz send me something... Thanx.
----------------------
Hélio Dubeux Neto
_________________________________________________________________
MSN Hotmail, o maior webmail do Brasil. http://www.hotmail.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Ping With Iptables.
2002-10-29 13:51 Ping With Iptables Hélio Dubeux
@ 2002-10-29 15:34 ` Maciej Soltysiak
2002-10-29 16:29 ` Antony Stone
0 siblings, 1 reply; 5+ messages in thread
From: Maciej Soltysiak @ 2002-10-29 15:34 UTC (permalink / raw)
To: Hélio Dubeux; +Cc: netfilter
Hello,
> I have a Linux Box as a Gateway of my network. And i want do allow internal
> machines to ping the Internet but i also want to block external machines to
> ping my Gateway. Is this is possible plz send me something... Thanx.
#let the internal net ping the world
iptables -A FORWARD -p icmp -s $YOUR_NET -j ACCEPT
#disallow the world to ping the gateway
iptables -I INPUT -p icmp -d $GATEWAY_IP -j DROP
Of course this is very rough, i do not know your rulesets, it is possible
that it can be done better to suit your current chains and rules.
Note, the -I INPUT - if we have other icmp rules, they may ACCEPT the
pings earlier than if we had just appended the rule, hence we're
inserting.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Ping With Iptables.
2002-10-29 15:34 ` Maciej Soltysiak
@ 2002-10-29 16:29 ` Antony Stone
2002-10-29 17:52 ` Maciej Soltysiak
0 siblings, 1 reply; 5+ messages in thread
From: Antony Stone @ 2002-10-29 16:29 UTC (permalink / raw)
To: netfilter
On Tuesday 29 October 2002 3:34 pm, Maciej Soltysiak wrote:
> Hello,
>
> > I have a Linux Box as a Gateway of my network. And i want do allow
> > internal machines to ping the Internet but i also want to block external
> > machines to ping my Gateway. Is this is possible plz send me something...
> > Thanx.
>
> #let the internal net ping the world
> iptables -A FORWARD -p icmp -s $YOUR_NET -j ACCEPT
>
> #disallow the world to ping the gateway
> iptables -I INPUT -p icmp -d $GATEWAY_IP -j DROP
>
> Of course this is very rough, i do not know your rulesets, it is possible
> that it can be done better to suit your current chains and rules.
I would instead recommend
iptables -P INPUT DROP
and then only add rules for the things you really do want to come in to the
firewall (established & related is probably a good start).
"Allow what you know you want, and drop everything else" is a good policy.
Antony.
--
G- GIT/E d- s+:--(-) a+ C++++$ UL++++$ P+(---)>++ L+++(++++)$ !E W(-) N(-) o?
w-- O !M V+++(--) !PS !PE Y+ PGP+> t- tv@ b+++ DI++ D--- e++>+++ h++ r@? 5?
!X- !R K--?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Ping With Iptables.
2002-10-29 16:29 ` Antony Stone
@ 2002-10-29 17:52 ` Maciej Soltysiak
0 siblings, 0 replies; 5+ messages in thread
From: Maciej Soltysiak @ 2002-10-29 17:52 UTC (permalink / raw)
To: Antony Stone; +Cc: netfilter
> I would instead recommend
> iptables -P INPUT DROP
>
> and then only add rules for the things you really do want to come in to the
> firewall (established & related is probably a good start).
Well of course, i wrote that, keeping in mind that he could have other
rules like:
-s 0/0 -j ACCEPT
> "Allow what you know you want, and drop everything else" is a good policy.
Is the best in most cases.
> Antony.
Maciej
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2002-10-29 17:52 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-10-29 13:51 Ping With Iptables Hélio Dubeux
2002-10-29 15:34 ` Maciej Soltysiak
2002-10-29 16:29 ` Antony Stone
2002-10-29 17:52 ` Maciej Soltysiak
-- strict thread matches above, loose matches on Subject: below --
2002-10-29 14:54 Walther
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.