Re: Curious about iptables and ping behavior
On Thu, 11 Apr 2002, Stefan Srdic wrote:
> On Fri, 12 Apr 2002 22:32:59 -0400 (EDT)
> Nick Busigin <nick@xwing.org> wrote:
>
> > I'm a little puzzled by the following behavior...
> >
> > iptables -I INPUT x -s 216.151.93.0/24 -j DROP
> > iptables -I INPUT x -d 216.151.93.0/24 -j DROP
> >
> > As I understand it, those rules should block anything coming or going
> > to/from the specified IP address range.
>
> You need to apply those rules on all chains, INPUT, OUTPUT, and
> FORWARD in order to block all incomming and outgoing traffic on your
> host.
I neglected to show that I also had them applied to the FORWARD chain.
But, I realize now that I neglected to apply them to the OUTPUT chain -
which of course would result in the pings being allowed to go out and
then the ping replies would be filtered when they come back.
> > While ping (at the command line) appeared to not return anything, my DSL
> > modem lights and tcpdump showed a different story. This looks pretty
> > strange to me.
> >
> > Anyone willing to shed some light on this behavior?
> >
> > Nick
>
> A DSL modem is both a modem and a router (some even have bridging
> functionality). Your ICMP echo request flow's through the multihomed
> host and then back again before being dropped by IPTables. tcpdump is
> simply seing what's on the line between you and your router :)
I understand now. Thanks!
Nick
--------------------------------------------------------------------------
Nick Busigin ...Sent from my Debian/GNU Linux Machine... nick@xwing.org
To obtain my pgp public key, email me with the subject: "get pgp-key"
--------------------------------------------------------------------------
--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: