On Mon, May 20, 2002 at 06:55:32PM +0200, Miky J wrote: > Thanx Anthony & Davis > I did not resolved my problem yet but with these two rules it works (i don't know >why !!!) > iptables -A INPUT -i eth0 -p icmp --icmp-type 11 -s $internet -d $extfw -m state >--state ESTABLISHED,RELATED -j ACCEPT
I'd suggest you don't need to include an ICMP specific rule for this... actually iptables -A INPUT -m state -i eth0 --state ESTABLISHED,RELATED -j ACCEPT should be enough, then all established connections are covered. > iptables -A OUTPUT -o eth0 -p udp -s $extfw --sport 32769:65535 -d $internet --dport >33434:33523 -j ACCEPT I'd also say this is best written as iptables -A OUTPUT -p udp --dport 33435:33523 -j ACCEPT IIRC the destination ports start at 33434, but one is added to the port number of each packet by default, including the first packet. However, as long as you trust the firewall box, iptables -A OUTPUT -m state --state NEW -j ACCEPT will allow all new outbound connections, which is possibly OK, and the state engine is smart enough to accept a TTL-expired packet in reply to the UDP packets it's sent out. You don't need the source port range, and I believe the one you've used is wrong anyway. I think that Linux always uses 1024-5000, see /proc/sys/net/ipv4/ip_local_port_range I'm not 100% sure of all of the above, so hopefully one of the wiser heads will correct me if I've made a mistake. > The logs seems to show that my traceroute uses udp ... > May 20 18:32:30 linuxfw kernel: IN= OUT=eth0 SRC=x.y.z.195 DST=a.b.c.71 LEN=74 >TOS=0x00 PREC=0x00 TTL=64 ID=4969 DF PROTO=UDP SPT=1066 DPT=53 LEN=53 > May 20 18:32:30 linuxfw kernel: IN= OUT=eth0 SRC=x.y.z.195 DST=a.b.c.71 LEN=72 >TOS=0x00 PREC=0x00 TTL=64 ID=4982 DF PROTO=UDP SPT=1066 DPT=53 LEN=53 > May 20 18:32:30 linuxfw kernel: IN= OUT=eth0 SRC=x.y.z.195 DST=a.b.c.71 LEN=72 >TOS=0x00 PREC=0x00 TTL=64 ID=4995 DF PROTO=UDP SPT=1066 DPT=53 LEN=53 It does on Unix, on windows "tracert" uses ICMP pings, on all Windows OS's as far as I know. > but when i disable the icmp-type 11 it doesn't work anymore. That's because icmp-type 11's are what you get back from the remote hosts, so if you drop those, the traceroute program doesn't have anything to report to you. > Is it normal that traceroute also needs outgoing connection from port 32769:65535 to >33434:33523 ? See above. > Will that also work if i have win workstation behind my firewall ? No, you'll need to do the same in the forward rules. Read Oskar's IPTables tutorial for a great explanation of where the chains are... well, until 2.4.18 came along and it all got more complicated ;) > Are these two rules safe or should i improve them with a state flag ? See above, do go with state. State is your friend, state rocks, state is why you can write a decent ruleset in about ten lines. Also I thought the state tables were in hex... but I must be confusing iptables with Checkpoint FW-1, if you cat /proc/net/ip_conntrack you can read the state table. > And if i'd like people to traceroute my machines behind the firewall, is it possible >to hide the fw, and how ? DROP any TTL exceeded ( ICMP type 11's ) packets in your output chain. Not only will that stop traceroute picking up the existance of your firewall, it'll stop anyone playing games with TTL from picking up details about your rulebase. Of course it will leave a bl**ding obvious line of asterisks in the traceroute output but to avoid that you'd have to do some smart stuff... actually, you probably could, add 1 to the TTL in the PREROUTING chain perhaps. <snip> -- FunkyJesus System Administration Team
