Ping and traceroute denied?

Ping and traceroute denied?

[Nicole Haehnel]

Hi,

I added this rules (with fwbuilder):

$IPTABLES -A FORWARD -p icmp  -m state --state NEW  -j ACCEPT
$IPTABLES -A OUTPUT -p icmp  -m state --state NEW  -j ACCEPT
$IPTABLES -A INPUT -p icmp  -m state --state NEW  -j ACCEPT


Why was ping from an interface of my firewall-host denied?
Traceroute too.

What rule shall I add?

Thanks!

Nicole

Re: Ping and traceroute denied?

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 860 bytes --]

On Wed, 2004-02-18 at 11:15, Nicole Haehnel wrote:
> Hi,
> 
> I added this rules (with fwbuilder):
> 
> $IPTABLES -A FORWARD -p icmp  -m state --state NEW  -j ACCEPT
> $IPTABLES -A OUTPUT -p icmp  -m state --state NEW  -j ACCEPT
> $IPTABLES -A INPUT -p icmp  -m state --state NEW  -j ACCEPT
> 
> 
> Why was ping from an interface of my firewall-host denied?
> Traceroute too.
> 
When the return packets come back, their state is not NEW, probably
RELATED.

> What rule shall I add?
> 
$IPTABLES -A INPUT -p icmp  -m state --state NEW,RELATED  -j ACCEPT

> Thanks!
> 
> Nicole
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Ping and traceroute denied?

[Nicole Haehnel]

Hi,

it works!
Now I have to teach this fwbuilder.

Thanks!

Nicole


Ray Leach schrieb:

>On Wed, 2004-02-18 at 11:15, Nicole Haehnel wrote:
>  
>
>>Hi,
>>
>>I added this rules (with fwbuilder):
>>
>>$IPTABLES -A FORWARD -p icmp  -m state --state NEW  -j ACCEPT
>>$IPTABLES -A OUTPUT -p icmp  -m state --state NEW  -j ACCEPT
>>$IPTABLES -A INPUT -p icmp  -m state --state NEW  -j ACCEPT
>>
>>
>>Why was ping from an interface of my firewall-host denied?
>>Traceroute too.
>>
>>    
>>
>When the return packets come back, their state is not NEW, probably
>RELATED.
>
>  
>
>>What rule shall I add?
>>
>>    
>>
>$IPTABLES -A INPUT -p icmp  -m state --state NEW,RELATED  -j ACCEPT
>
>  
>
>>Thanks!
>>
>>Nicole
>>    
>>

Re: Ping and traceroute denied?

[Alexis]

if you have policies for INPUT, OUTPUT and FORWARD to ACCEPT, those
rules are not needed.

Also, if the traffic is generated in the same firewall FORWARD chain
will not match. Its no needed


Before you add those rules, the pings and traces was working?



Hello Nicole,

Wednesday, February 18, 2004, 6:15:11 AM, you wrote:

NH> Hi,

NH> I added this rules (with fwbuilder):

NH> $IPTABLES -A FORWARD -p icmp  -m state --state NEW  -j ACCEPT
NH> $IPTABLES -A OUTPUT -p icmp  -m state --state NEW  -j ACCEPT
NH> $IPTABLES -A INPUT -p icmp  -m state --state NEW  -j ACCEPT


NH> Why was ping from an interface of my firewall-host denied?
NH> Traceroute too.

NH> What rule shall I add?

NH> Thanks!

NH> Nicole



-- 
Best regards,
 Alexis                            mailto:alexis@attla.net.ar