Iptables don't understand network address

Iptables don't understand network address

[Jean-Michel CARICAND]

I have a local network with 10.0.2.0 address and 255.255.254.0 netmask.

My firewall have IP 10.0.2.130 on eth0.
My station have IP 10.0.2.2.

I configure my firewall for drop the ping from the station with 1 rules :

# iptables -A INPUT -i eth0 -s 10.0.2.2 -p icmp -j DROP

When I ping the firewall from my station (ping 10.0.2.130) , I receive an response from the serveur

Why ?

What is the problem ? My netmask ?

If i modify my netmask to 255.0.0.0 on firewall and my station, the ping doesn't work. Normal !

Iptables don't understand network address not in class A, B or C

HELP ME !!!

Re: Iptables don't understand network address

[Patrick Schaaf]

On Tue, Jul 09, 2002 at 09:03:00AM +0200, Jean-Michel CARICAND wrote:
> I have a local network with 10.0.2.0 address and 255.255.254.0 netmask. 
>  
> My firewall have IP 10.0.2.130 on eth0. 
> My station have IP 10.0.2.2.
> 
> I configure my firewall for drop the ping from the station with 1 rules :
> 
> # iptables -A INPUT -i eth0 -s 10.0.2.2 -p icmp -j DROP 
> 
> When I ping the firewall from my station (ping 10.0.2.130) , I receive an response from the serveur 
> Why ?

Is this the one and only in your ruleset? I can't see a reason why it would
fail blocking the ping, unless there are other rules before that one,
or some kind of NAT going on.

Please confirm that it's the only rule, and no NAT or MASQUERADE is being done.

> What is the problem ? My netmask ?

I doubt that.

> If i modify my netmask to 255.0.0.0 on firewall and my station, the ping doesn't work. Normal !

Hmm.

Did you use "iptables -L -v" to see the packet/byte counters of the rules
increase as you do the ping tests? If not, please do so.

> Iptables don't understand network address not in class A, B or C 

That's definitely NOT the case. iptables does not know anything about
classful networking. It works with arbitrary netmasks. They can even
have "holes" in them, iptables doesn't care.

best regards
  Patrick

RE: Iptables don't understand network address

[George Vieira]

I have the exact same setup and the only difference is that I have /24
netmask and not /23.
Does your INPUT rules have any byte count???

As below, works for me..?? I'm using 1.2.5 iptables at the moment..

[root@firewall /root]# iptables -I INPUT 1 -i eth0 -s 10.10.0.69 -p icmp -j
DROP
[root@firewall /root]# iptables -L INPUT -v -n -x 
Chain INPUT (policy DROP 86 packets, 4835 bytes)
    pkts      bytes target     prot opt in     out     source
destination         
      15      840 DROP       icmp --  eth0   *       10.10.0.69
0.0.0.0/0   



c:\>ping 10.10.0.254

Pinging 10.10.0.254 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.10.0.254:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum =  0ms, Average =  0ms

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
http://www.citadelcomputer.com.au



-----Original Message-----
From: Jean-Michel CARICAND [mailto:CARICAND.Jean-Michel@wanadoo.fr]
Sent: Tuesday, 09 July 2002 5:03 PM
To: netfilter@lists.samba.org
Subject: Iptables don't understand network address 


I have a local network with 10.0.2.0 address and 255.255.254.0 netmask. 
 
My firewall have IP 10.0.2.130 on eth0. 
My station have IP 10.0.2.2.

I configure my firewall for drop the ping from the station with 1 rules :

# iptables -A INPUT -i eth0 -s 10.0.2.2 -p icmp -j DROP 

When I ping the firewall from my station (ping 10.0.2.130) , I receive an
response from the serveur 

Why ?
 
What is the problem ? My netmask ?
 
If i modify my netmask to 255.0.0.0 on firewall and my station, the ping
doesn't work. Normal !
 
Iptables don't understand network address not in class A, B or C 
 
HELP ME !!!