[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: droping internal network icmp usign forward


luis a écrit :
hi there ani advise to drop icmp usign forward?

example iptables -A FORWARD -s -d $mylan( -p icmp -j DROP

is that ok?

Well, it drops ICMP packets which hit the rule and match the source and destination address conditions. However it won't drop packets which don't hit the rule for any reason or don't match the address conditions.

well is not working here i tho

Aren't there any rules placed before that my accept the packets ?
Don't forget that the classic "-m state RELATED,ESTABLISHED" condition which is often placed at the beginning of a chain matches any valid ICMP error packet (destination unreachable, time exceeded...).

also i would like to drop the port to avoid nmap scan from outside to my network

Huh ? What do you mean exactly by "drop the port" ?

Reply to: