On Friday 07 February 2003 06:11 pm, SBlaze wrote: > Recently I created what I think are some pretty decent ICMP rules to > allow me to trace and ping outside of my network but not allow the > same kind of activities in...I think I did a pretty good job after > reading the tutorial > > You guys be the judge and let me know if there was better way for this > to be done. > > iptables -A INPUT -p ICMP -i eth0 -m state --state NEW -j DROP > iptables -A INPUT -p ICMP -i eth0 -m state --state ESTABLISHED,RELATED > -j ACCEPT > iptables -A OUTPUT -p ICMP -o eth0 -m state --state > NEW,ESTABLISHED,RELATED -j ACCEPT If you have DROP policy for INPUT you don't need the first rule, and the third should work just as well without any state matching at all. (The only additional state allowed through that ways is 'INVALID' which you should explicitly DROP if you are concerned about it) Regardless, you seem to have grasped how the state matches work, and how to use them to allow only desired connections. These rules WILL impose the limitations you desire, so that rates as a success. j
