Unable to ping from firewall box

Fri, 17 May 2002 19:35:07 -0700 

I am taking a baptism by fire learning iptables. I have read and
followed the Linux Firewalls book 2nd Edition as best as I could. To
start with I cannot ping from the firewall either to the internet or to
other hosts. Can someone help me on the side, off list to resolve this? 

Stephen

The icmp rules are:

#!/bin/sh
$IPTABLES -A INPUT -p icmp -j EXT-icmp-in
$IPTABLES -A OUTPUT -p icmp -j EXT-icmp-out

# Log and drop initial ICMP fragments
$IPTABLES -A EXT-icmp-in --fragment -j LOG \
        --log-prefix "Fragmented incoming ICMP: "
$IPTABLES -A EXT-icmp-in --fragment -j DROP

$IPTABLES -A EXT-icmp-out --fragment -j LOG \
        --log-prefix "Fragmented outgoing ICMP: "
$IPTABLES -A EXT-icmp-out --fragment -j DROP

# Outgoing ping
if [ "$CONNECTION_TRACKING" = "1" ]; then
  $IPTABLES -A EXT-icmp-out -p icmp \
    --icmp-type echo-request \
    -m state --state NEW \
    -j ACCEPT
fi

$IPTABLES -A EXT-icmp-out -p icmp \
  --icmp-type echo-request -j ACCEPT

$IPTABLES -A EXT-icmp-in -p icmp \
  --icmp-type echo-reply -j ACCEPT

# Incoming ping
#if [ "$CONNECTION_TRACKING" = "1" ]; then
#  $IPTABLES -A EXT-icmp-in -p icmp \
#    -s $MY_ISP \
#    --icmp-type echo-request \
#    -m state --state NEW \
#    -j ACCEPT
#fi
#
#$IPTABLES -A EXT-icmp-in -p icmp \
#  --icmp-type echo-request \
#  -s $MY_ISP -j ACCEPT
#
#$IPTABLES -A EXT-icmp-out -p icmp \
#  --icmp-type echo-reply \
#  -s $MY_ISP -j ACCEPT

# Destination Unreachable - Type 3
#   Dest_Unreachable, Service_Unavailable
#   incoming & outgoing size negotiation, service or
#   destination unavailability, final traceroute response

$IPTABLES -A EXT-icmp-out -p icmp \
  --icmp-type fragmentation-needed -j ACCEPT

$IPTABLES -A EXT-icmp-in -p icmp \
  --icmp-type destination-unreachable -j ACCEPT

# Parameter Problem - Type 12
$IPTABLES -A EXT-icmp-out -p icmp \
  --icmp-type parameter-problem -j ACCEPT

$IPTABLES -A EXT-icmp-in -p icmp \
  --icmp-type parameter-problem -j ACCEPT

# (11) Time_Exceeded
#      incoming & outgoing time out conditions,
#      also intermediate TTL response to traceroutes
$IPTABLES -A EXT-icmp-in -p icmp \
  --icmp-type time-exceeded -j ACCEPT

$IPTABLES -A EXT-icmp-out -p icmp \
  --icmp-type time-exceeded -j ACCEPT


# (4)  Source_Quench
#      incoming & outgoing requests to slow down (flow control)
$IPTABLES -A EXT-icmp-out -p icmp \
   --icmp-type source-quench -j ACCEPT

$IPTABLES -A EXT-icmp-in -p icmp \
   --icmp-type source-quench -j ACCEPT

Reply via email to