Hi, > ftp for the domain it'll host. It's not clear to me what ICMP packets I > (1) must allow, (2) which are optional but recommended, and (3) which I > should not allow. Generally you should let the STATE module handle ICMP related to existing connections.
and if you really want, you can add just one rule to allow echo requests (ping) for icmp i do only: iptables -P INPUT DROP ... iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ... iptables -A INPUT -p icmp -j icmpc ... iptables -N icmpc iptables -A icmpc -p icmp --icmp-type 8 -m length --length 100:110 -m limit --limit 2/s -j ACCEPT This way, i only allow ICMP that is required for current connections. And let in only pings with the deafult burst and limit to 2/s and the ping length 100 to 110 bytes. If i want to ping the machine i know i have to force bigger ping packet, that prevents scanners using short pings (like nmap), or other pingers from abusing this icmp. > I'd be most appreciative if someone could educate me (or tell me which > fine manual to read), regarding ICMP. Thanks in advance. Hmm, try: http://www.cotse.com/icmptypes.html and read on them. Also i recommend to look at Ofir Arkin's work at www.sys-security.com regarding ICMP, ICMP usage in scanning, ICMP tools, and so on. Regards, Maciej Soltysiak
