Great and thanks for your swift replies. The problem was actually a routing problem. - Tomas On Fri, Feb 28, 2003 at 12:17:14PM +0100, Cedric Blancher wrote: > > Le ven 28/02/2003 à 11:37, netfilter@tommi.org a écrit : > > I'm wondering if state doesn't apply to ICMP packets. > > It applies. > > > iptables -A FORWARD -p icmp -m state -d 1.2.3.4 --state NEW -j ACCEPT > > iptables -A FORWARD -m state --state NEW,INVALID -j REJECT > > if I ping 1.2.3.4 the echo-reply is blocked from 1.2.3.4. Is this normal, I > > thought that the echo-reply should be marked RELATED and therefore not > > blocked? > > Nope. > In fact, you can separate ICMP messages in two categories : > > . ICMP errors > . standelone ICMP > > ICMP errors are related to an existing IP flow. As such, conntrack > engine flags them as RELATED. > > Standelone ICMP (ping, netmask, timestamp and info, cf. > ip_conntrack_proto_icmp.c) are not related to IP flow, and are flagged > using NEW/ESTABLISHED states. > If you ping someone, echo-request is NEW, echo-reply is ESTABLISHED. > > -- > Cédric Blancher <blancher@cartel-securite.fr> > IT systems and networks security expert - Cartel Sécurité > Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 > PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE > >
