Re: Off Topic: iptables, ping, traceroute
On Mon, 16 Jul 2001, William Jensen wrote:
> I've setup a fairly restrictive set of rules for iptables and have been,
> up to this point, extremely satisfied with its performance. However,
> I've recently started having some signifiant issues with my cable modem
> provider and they routinely want to ping and traceroute to my machine.
> This requires me to take down my firewall and wait for them to finish,
> then put it back up. I'd like to make, as part of my rule set, ping and
> traceroute able to get through. So far I've done this for my input chain
> for ping
>
> -A INPUT -p icmp -j ACCEPT
>
Hi,
I have a pretty good firewall script, they use these rules for ping
request:
# icmp types
# 0 = echo reply needed by ping
# 3 = destination-unreachable needed by any TCP/UDP traffic
# 5 = redirect needed by routing if not runnting routing daemon
# 8 = echo-request needed by ping
# 11 = time-exceeded needed by traceroute
#
# This wil also protect you against the ping-of-death
iptables -A INPUT -i $extif -p -icmp --icmp-type 0 -s any/0 -d $extip -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -i $extif -p -icmp --icmp-type 3 -s any/0 -d $extip -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -i $extif -p -icmp --icmp-type 8 -s any/0 -d $extip -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -i $extif -p -icmp --icmp-type 11 -s any/0 -d $extip -m limit --limit 1/s -j ACCEPT
iptables -A OUTPUT -o $extif -p -icmp --icmp-type 3 -s $extip -d any/0 -m limit --limit 1/s -j ACCEPT
iptables -A OUTPUT -o $extif -p -icmp --icmp-type 8 -s $extip -d any/0 -m limit --limit 1/s -j ACCEPT
iptables -A OUTPUT -o $extif -p -icmp --icmp-type 0 -s $extip -d any/0 -m limit --limit 1/s -j ACCEPT
iptables -A OUTPUT -o $extif -p -icmp --icmp-type 11 -s $extip -d any/0 -m limit --limit 1/s -j ACCEPT
# Accept redirect icmp packets
iptables -A INPUT -i $extif -p -icmp --icmp-type 5 -s any/0 -d $extip -m limit --limit 1/s -j ACCEPT
Hope this helps.
Greetz,
Sebastiaan
Reply to: