On Sat, 2002-05-18 at 11:42, Allen Wayne Best wrote:
> Steven:
>
> I too used the book you mentioned. I found some of the information in the
> book incorrect. Please see the website mentioned by the author for errata.
>
> As to your specific rules, I have enclosed the rules I am using for the same
> purpose, which works fine.
>
ok. I will look at the site. I am trying to use user defined chains to
speed up traversal of the main chains (INPUT, OUTPUT, and FORWARD).
Can you look at this revision. I looked at your rules. I don't see why I
must define which interfaces the packet will traverse for the FORWARD
rule for destination-unreachable and time-exceeded. My last firewall
using ipchains I watched for source-quench, time-exceeded,
parameter-problem, destination-unreachable, and fragmentation-needed.
Here is the latest:
#!/bin/sh
$IPTABLES -A INPUT -p icmp -j EXT-icmp-in
$IPTABLES -A OUTPUT -p icmp -j EXT-icmp-out
$IPTABLES -A FORWARD -p icmp -j FWD-icmp
# Log and drop initial ICMP fragments
$IPTABLES -A EXT-icmp-in --fragment -p icmp -j LOG \
--log-prefix "Fragmented incoming ICMP: "
$IPTABLES -A EXT-icmp-in --fragment -p icmp -j DROP
$IPTABLES -A EXT-icmp-out --fragment -p icmp -j LOG \
--log-prefix "Fragmented outgoing ICMP: "
$IPTABLES -A EXT-icmp-out --fragment -p icmp -j DROP
$IPTABLES -A FWD-icmp --fragment -p icmp -j LOG \
--log-prefix "Fragmented fwd ICMP: "
$IPTABLES -A FWD-icmp --fragment -p icmp -j DROP
# Outgoing ping
if [ "$CONNECTION_TRACKING" = "1" ]; then
$IPTABLES -A EXT-icmp-out -p icmp \
--icmp-type echo-request \
-m state --state NEW \
-j ACCEPT
$IPTABLES -A FWD-icmp -o $EXTERNAL_INTEFACE -p icmp \
--icmp-type echo-request \
-m state --state NEW \
-j ACCEPT
fi
$IPTABLES -A EXT-icmp-out -p icmp \
--icmp-type echo-request -j ACCEPT
$IPTABLES -A EXT-icmp-in -p icmp \
--icmp-type echo-reply -j ACCEPT
$IPTABLES -A FWD-icmp -p icmp -d $INTERNAL_NET \
--icmp-type echo-reply -j ACCEPT
# Incoming ping
#if [ "$CONNECTION_TRACKING" = "1" ]; then
# $IPTABLES -A EXT-icmp-in -p icmp \
# -s $MY_ISP \
# --icmp-type echo-request \
# -m state --state NEW \
# -j ACCEPT
#fi
#
#$IPTABLES -A EXT-icmp-in -p icmp \
# --icmp-type echo-request \
# -s $MY_ISP -j ACCEPT
#
#$IPTABLES -A EXT-icmp-out -p icmp \
# --icmp-type echo-reply \
# -s $MY_ISP -j ACCEPT
# Destination Unreachable - Type 3
# Dest_Unreachable, Service_Unavailable
# incoming & outgoing size negotiation, service or
# destination unavailability, final traceroute response
# accept destination unreachable messages
$IPTABLES -A EXT-icmp-in -p icmp \
--icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A FWD-icmp -o $INTERNAL_INF -p icmp \
--icmp-type destination-unreachable \
-d $INTERNAL_NET -j ACCEPT
$IPTABLES -A EXT-icmp-out -p icmp \
--icmp-type fragmentation-needed -j ACCEPT
$IPTABLES -A FWD-icmp -p icmp \
--icmp-type fragmentation-needed -j ACCEPT
# Parameter Problem - Type 12
$IPTABLES -A EXT-icmp-out -p icmp \
--icmp-type parameter-problem -j ACCEPT
$IPTABLES -A EXT-icmp-in -p icmp \
--icmp-type parameter-problem -j ACCEPT
$IPTABLES -A FWD-icmp -p icmp \
--icmp-type parameter-problem -j ACCEPT
# (11) Time_Exceeded
# incoming & outgoing time out conditions,
# also intermediate TTL response to traceroutes
# (incoming)
$IPTABLES -A EXT-icmp-in -p icmp \
--icmp-type time-exceeded -j ACCEPT
$IPTABLES -A FWD-icmp -o $INTERNAL_INF -p icmp \
--icmp-type time-exceeded \
-d $INTERNAL_NET -j ACCEPT
# (outgoing)
$IPTABLES -A EXT-icmp-out -p icmp \
--icmp-type time-exceeded -j ACCEPT
# (4) Source_Quench
# incoming & outgoing requests to slow down (flow control)
$IPTABLES -A EXT-icmp-out -p icmp \
--icmp-type source-quench -j ACCEPT
$IPTABLES -A EXT-icmp-in -p icmp \
--icmp-type source-quench -j ACCEPT
$IPTABLES -A FWD-icmp -p icmp \
--icmp-type source-quench -j ACCEPT
Thanks for the help.
Stephen
