Re: traceroute ping fail
On Sun, Oct 01, 2000 at 04:04:36PM -0500, William Jensen wrote: An update to myself...in case others are having this problem: I added the following rule to my script: $IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT My understanding is now the box will accpet 'echo replies' that I would generate by 'ping debian.org'. I then went to another pc on the net and tried to ping my own box and it still just drops the packets. (which I want) Can anyone see anything wrong with what I've done? I don't think 'echo reply' is --icmp-type 0. Do a /sbin/ipchains -h icmp. To get icmp replies, enable pong: /sbin/ipchains -A input -p icmp --icmp-type pong -j ACCEPT (not sure what the numerical value for pong is) -- John__ email: [EMAIL PROTECTED] Quis custodiet ipsos custodes icq: thales @ 17755648 # I'm subscribed to this list, no need to cc: ## pgprXPIgVScTa.pgp Description: PGP signature
traceroute ping fail
I think it's my firewall blocking them going _out_ because when I take the firewall offline both ping and traceroute work fine. Ping works on localhost, though traceroute does not when the firewall is up. Unfortunetly I am too new at both debian and firewalling to know where I went wrong. I'm trying to set it up so I can ping and traceroute to other boxes but other 'bad' boxes can't do it to me. What information can I follow this msg up with that will be helpful? I call the firewall from /etc/rc2.d/S90firewall_up which is just a sym link to /etc/init.d/firewall_up. On a side note, when I added the logging line: $IPT -A Firewall -j LOG --log-level info --log-prefix Firewall: It produces a TON of the following as fast as it can put them in the log file. How do I read this and even more importantly how can I make it log the rejects properly so that I can actually catch people trying to scan the box etc. Oct 1 13:28:11 stimpy kernel: Firewall:IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:20:78:cb:ce:05:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=2 PROTO=UDP SPT=68 DPT=67 LEN=556 If it would help I can attach the actual firewall script.
Re: traceroute ping fail
An update to myself...in case others are having this problem: I added the following rule to my script: $IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT My understanding is now the box will accpet 'echo replies' that I would generate by 'ping debian.org'. I then went to another pc on the net and tried to ping my own box and it still just drops the packets. (which I want) Can anyone see anything wrong with what I've done? On Sun, Oct 01, 2000 at 01:47:48PM -0500, William Jensen wrote: I think it's my firewall blocking them going _out_ because when I take the firewall offline both ping and traceroute work fine. Ping works on localhost, though traceroute does not when the firewall is up. Unfortunetly I am too new at both debian and firewalling to know where I went wrong. I'm trying to set it up so I can ping and traceroute to other boxes but other 'bad' boxes can't do it to me. What information can I follow this msg up with that will be helpful? I call the firewall from /etc/rc2.d/S90firewall_up which is just a sym link to /etc/init.d/firewall_up. On a side note, when I added the logging line: $IPT -A Firewall -j LOG --log-level info --log-prefix Firewall: It produces a TON of the following as fast as it can put them in the log file. How do I read this and even more importantly how can I make it log the rejects properly so that I can actually catch people trying to scan the box etc. Oct 1 13:28:11 stimpy kernel: Firewall:IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:20:78:cb:ce:05:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=2 PROTO=UDP SPT=68 DPT=67 LEN=556 If it would help I can attach the actual firewall script.
Re: traceroute ping fail
Another update to myself and others that may want this information: This update concerns traceroute. If I added the following rules I can now traceroute to anywhere, but traceroutes to me fail: $IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $IPT -A INPUT -p icmp --icmp-type port-unreachable -j ACCEPT Again, the same question goes out to those of you more familiar with iptables, did I mistakenly leave myself open here? Bill On Sun, Oct 01, 2000 at 04:04:36PM -0500, William Jensen wrote: An update to myself...in case others are having this problem: I added the following rule to my script: $IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT My understanding is now the box will accpet 'echo replies' that I would generate by 'ping debian.org'. I then went to another pc on the net and tried to ping my own box and it still just drops the packets. (which I want) Can anyone see anything wrong with what I've done? On Sun, Oct 01, 2000 at 01:47:48PM -0500, William Jensen wrote: I think it's my firewall blocking them going _out_ because when I take the firewall offline both ping and traceroute work fine. Ping works on localhost, though traceroute does not when the firewall is up. Unfortunetly I am too new at both debian and firewalling to know where I went wrong. I'm trying to set it up so I can ping and traceroute to other boxes but other 'bad' boxes can't do it to me. What information can I follow this msg up with that will be helpful? I call the firewall from /etc/rc2.d/S90firewall_up which is just a sym link to /etc/init.d/firewall_up. On a side note, when I added the logging line: $IPT -A Firewall -j LOG --log-level info --log-prefix Firewall: It produces a TON of the following as fast as it can put them in the log file. How do I read this and even more importantly how can I make it log the rejects properly so that I can actually catch people trying to scan the box etc. Oct 1 13:28:11 stimpy kernel: Firewall:IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:20:78:cb:ce:05:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=2 PROTO=UDP SPT=68 DPT=67 LEN=556 If it would help I can attach the actual firewall script.
Re: traceroute ping fail
On Sun, 1 Oct 2000, William Jensen wrote: Another update to myself and others that may want this information: This update concerns traceroute. If I added the following rules I can now traceroute to anywhere, but traceroutes to me fail: $IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $IPT -A INPUT -p icmp --icmp-type port-unreachable -j ACCEPT There are a few more you should have for the network to operate properly. There are other things such as MTU Path Discovery that need to work. You should, suggested by the ipchains HOWTO, be allowing these: -p icmp --icmp-type destination-unreachable -j ACCEPT -p icmp --icmp-type source-quench -j ACCEPT -p icmp --icmp-type time-exceeded -j ACCEPT -p icmp --icmp-type parameter-problem -j ACCEPT Note destination-unreachable rather than port-unreachable. There are several subtypes of destination-unreachable and port-unreachable is only one of them.