Steven:
I too used the book you mentioned. I found some of the information in the
book incorrect. Please see the website mentioned by the author for errata.
As to your specific rules, I have enclosed the rules I am using for the same
purpose, which works fine.
$EXTERNAL = eth0
$EXTERNAL_NET = 10.10.10.0/24
$EXTERNAL_IP =10.10.10.23
$INTERNAL =eth1
$INTERNAL_NET =192.168.0.0/24
$INTERNAL_IP =192.168.0.254
##################################################################
# drop fragmented ICMP messages - tend to be DOS attacks
$IPTABLES -A INPUT --fragment -p icmp \
-j LOG --log-prefix "Fragmented incoming ICMP: "
$IPTABLES -A INPUT --fragment -p icmp \
-j DROP
$IPTABLES -A OUTPUT --fragment -p icmp \
-j LOG --log-prefix "Fragmented out ICMP: "
$IPTABLES -A OUTPUT --fragment -p icmp \
-j DROP
$IPTABLES -A FORWARD --fragment -p icmp \
-j LOG --log-prefix "Fragmented fwd ICMP: "
$IPTABLES -A FORWARD --fragment -p icmp \
-j DROP
##################################################################
# accept destination unreachable messages
$IPTABLES -A INPUT -p icmp \
--icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A FORWARD -o $INTERNAL -p icmp \
--icmp-type destination-unreachable \
-d $INTERNAL_NET -j ACCEPT
$IPTABLES -A OUTPUT -p icmp \
--icmp-type fragmentation-needed -j ACCEPT
$IPTABLES -A FORWARD -p icmp \
--icmp-type fragmentation-needed -j ACCEPT
##################################################################
# don't log dropped outgoing icmp messages
$IPTABLES -A OUTPUT -p icmp \
--icmp-type destination-unreachable -j DROP
$IPTABLES -A FORWARD -o $EXTERNAL -p icmp \
--icmp-type destination-unreachable \
-j DROP
##################################################################
# accept time-exceeded messages (traceroute)
$IPTABLES -A INPUT -p icmp \
--icmp-type time-exceeded -j ACCEPT
$IPTABLES -A FORWARD -o $INTERNAL -p icmp \
--icmp-type time-exceeded -d $INTERNAL_NET -j ACCEPT
if [ "$ALLOW_PING_OUT" = "1" ] ; then
# outgoing ping to remote hosts
$IPTABLES -A OUTPUT -o $EXTERNAL -p icmp \
--icmp-type echo-request \
-d any/0 \
-m limit --limit 5/minute \
-m state --state NEW -j LOG \
--log-prefix "Outgoing Ping Seen: "
$IPTABLES -A OUTPUT -o $EXTERNAL -p icmp \
--icmp-type echo-request \
-d any/0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o $EXTERNAL -i $INTERNAL -p icmp \
-s $INTERNAL1_NET --icmp-type echo-request \
-d any/0 -m state --state NEW -j ACCEPT
fi
if [ "$ALLOW_PING_IN" = "1" ] ; then
$IPTABLES -A INPUT -i $EXTERNAL -p icmp \
-s $EXTERNAL_NET --icmp-type echo-request \
-d $EXTERNAL_IP \
-m limit --limit 5/minute \
-m state --state NEW -j LOG \
--log-prefix "Incoming Ping Seen: "
$IPTABLES -A INPUT -i $EXTERNAL -p icmp \
-s $EXTERNAL_NET --icmp-type echo-request \
-d $EXTERNAL_IP \
-m limit --limit 5/minute \
-m state --state NEW -j ACCEPT
elif [ "$ALLOW_PING_IN" = "2" ] ; then
$IPTABLES -A INPUT -i $EXTERNAL -p icmp \
-s any/0 --icmp-type echo-request \
-d $EXTERNAL_IP \
-m limit --limit 5/minute \
-m state --state NEW -j LOG \
--log-prefix "Incoming Ping Seen: "
$IPTABLES -A INPUT -i $EXTERNAL -p icmp \
-s any/0 --icmp-type echo-request \
-d $EXTERNAL_IP \
-m limit --limit 5/minute \
-m state --state NEW -j ACCEPT
fi
On Friday 17 May 2002 08:00 pm, Stephen Torri pronounced:
> I am taking a baptism by fire learning iptables. I have read and
> followed the Linux Firewalls book 2nd Edition as best as I could. To
> start with I cannot ping from the firewall either to the internet or to
> other hosts. Can someone help me on the side, off list to resolve this?
>
> Stephen
>
> The icmp rules are:
>
> #!/bin/sh
> $IPTABLES -A INPUT -p icmp -j EXT-icmp-in
> $IPTABLES -A OUTPUT -p icmp -j EXT-icmp-out
>
> # Log and drop initial ICMP fragments
> $IPTABLES -A EXT-icmp-in --fragment -j LOG \
> --log-prefix "Fragmented incoming ICMP: "
> $IPTABLES -A EXT-icmp-in --fragment -j DROP
>
> $IPTABLES -A EXT-icmp-out --fragment -j LOG \
> --log-prefix "Fragmented outgoing ICMP: "
> $IPTABLES -A EXT-icmp-out --fragment -j DROP
>
> # Outgoing ping
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> $IPTABLES -A EXT-icmp-out -p icmp \
> --icmp-type echo-request \
> -m state --state NEW \
> -j ACCEPT
> fi
>
> $IPTABLES -A EXT-icmp-out -p icmp \
> --icmp-type echo-request -j ACCEPT
>
> $IPTABLES -A EXT-icmp-in -p icmp \
> --icmp-type echo-reply -j ACCEPT
>
> # Incoming ping
> #if [ "$CONNECTION_TRACKING" = "1" ]; then
> # $IPTABLES -A EXT-icmp-in -p icmp \
> # -s $MY_ISP \
> # --icmp-type echo-request \
> # -m state --state NEW \
> # -j ACCEPT
> #fi
> #
> #$IPTABLES -A EXT-icmp-in -p icmp \
> # --icmp-type echo-request \
> # -s $MY_ISP -j ACCEPT
> #
> #$IPTABLES -A EXT-icmp-out -p icmp \
> # --icmp-type echo-reply \
> # -s $MY_ISP -j ACCEPT
>
> # Destination Unreachable - Type 3
> # Dest_Unreachable, Service_Unavailable
> # incoming & outgoing size negotiation, service or
> # destination unavailability, final traceroute response
>
> $IPTABLES -A EXT-icmp-out -p icmp \
> --icmp-type fragmentation-needed -j ACCEPT
>
> $IPTABLES -A EXT-icmp-in -p icmp \
> --icmp-type destination-unreachable -j ACCEPT
>
> # Parameter Problem - Type 12
> $IPTABLES -A EXT-icmp-out -p icmp \
> --icmp-type parameter-problem -j ACCEPT
>
> $IPTABLES -A EXT-icmp-in -p icmp \
> --icmp-type parameter-problem -j ACCEPT
>
> # (11) Time_Exceeded
> # incoming & outgoing time out conditions,
> # also intermediate TTL response to traceroutes
> $IPTABLES -A EXT-icmp-in -p icmp \
> --icmp-type time-exceeded -j ACCEPT
>
> $IPTABLES -A EXT-icmp-out -p icmp \
> --icmp-type time-exceeded -j ACCEPT
>
>
> # (4) Source_Quench
> # incoming & outgoing requests to slow down (flow control)
> $IPTABLES -A EXT-icmp-out -p icmp \
> --icmp-type source-quench -j ACCEPT
>
> $IPTABLES -A EXT-icmp-in -p icmp \
> --icmp-type source-quench -j ACCEPT
--
regards,
allen wayne best, esq
"your friendly neighborhood rambler owner"
"my rambler will go from 0 to 105"
Current date: 47:17:9::137:2002
Be careful of reading health books, you might die of a misprint.
-- Mark Twain
