[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Curious about iptables and ping behavior

On Thu, 11 Apr 2002, Stefan Srdic wrote:

> On Fri, 12 Apr 2002 22:32:59 -0400 (EDT)
> Nick Busigin <nick@xwing.org> wrote:
> > I'm a little puzzled by the following behavior...
> > 
> > iptables -I INPUT x -s -j DROP
> > iptables -I INPUT x -d -j DROP
> > 
> > As I understand it, those rules should block anything coming or going
> > to/from the specified IP address range. 
> You need to apply those rules on all chains, INPUT, OUTPUT, and
> FORWARD in order to block all incomming and outgoing traffic on your
> host. 

I neglected to show that I also had them applied to the FORWARD chain. 
But, I realize now that I neglected to apply them to the OUTPUT chain -
which of course would result in the pings being allowed to go out and
then the ping replies would be filtered when they come back. 

> > While ping (at the command line) appeared to not return anything, my DSL
> > modem lights and tcpdump showed a different story.  This looks pretty
> > strange to me. 
> > 
> > Anyone willing to shed some light on this behavior?
> > 
> >                                      Nick
> A DSL modem is both a modem and a router (some even have bridging
> functionality). Your ICMP echo request flow's through the multihomed
> host and then back again before being dropped by IPTables. tcpdump is
> simply seing what's on the line between you and your router :) 

I understand now.  Thanks!


Nick Busigin  ...Sent from my Debian/GNU Linux Machine...   nick@xwing.org

To obtain my pgp public key, email me with the subject: "get pgp-key"

To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: