On Friday 04 October 2002 9:32 pm, Alistair Tonner wrote: > Antony ... My icmp chain ... (seems to work for me, > and you can toss in limit rules as well) > > > # $IPTABLES -A icmp_packets -j LOG --log-level 4 --log-prefix "IPT icmp > IN:" > $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT > $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT > $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT > $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT > # $IPTABLES -A icmp_packets -j LOG --log-level DEBUG --log-prefix "IPT > icmp DROP :" > $IPTABLES -A icmp_packets -j DROP Interesting. You're allowing ICMP message types 0, 3, 5 and 11.... 0 is echo reply 3 is destination unreachable 5 is redirect 11 is time exceeded Comments: 1. Why allow echo reply if you don't also allow echo request (type 8) ? 2. I think you should also allow source quench (type 4) so that systems can slow each other down if they start sending too fast. Out of interest, what sort of log entries do you see from the "log just before dropping the rest" rule ? Antony. -- Most people have more than the average number of legs.
