I do have a state rule already for allowing any
established,related connections.
So should I add another one such as:
iptables -A FORWARD -p icmp -m state --state RELATED
-j ACCEPT
The current ruleset is attached (I've only excluded
the variables and logging sections of it).
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail
--- Begin Message ---
On Thursday 15 July 2004 8:21 pm, Real Cucumber wrote:
> > I would allow the firewall to send ICMP messages through its OUTPUT chain,
> > and if it can generate any connections from itself, then you should allow
> > them in through the INPUT chain as well, however you say you do not allow
> > outgoing connections (not even DNS??), so this may not be needed.
>
> The fedora box doesn't do dns or anything. It's sole purpose is a packet
> forwarding router that doesnt' allow any input or output, just forwards.
>
> That is why I'm not sure if I need ICMP supported on it or not, and not sure
> where do add the ICMP support (input, output, forward).
I would allow the machine to forward ICMP messages which are RELATED to the
existing SSH sessions, so that means the rule should go in the FORWARD chain.
If you want more specific advice, please post the current ruleset.
Regards,
Antony.
--
In Heaven, the police are British, the chefs are Italian, the beer is Belgian,
the mechanics are German, the lovers are French, the entertainment is
American, and everything is organised by the Swiss.
In Hell, the police are German, the chefs are British, the beer is American,
the mechanics are French, the lovers are Swiss, the entertainment is Belgian,
and everything is organised by the Italians.
Please reply to the list;
please don't CC me.
--- End Message ---
# This will set all default policies to DROP
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
# Enable Loopback Interface
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
# Protect against Source-Address Spoofing (Ingress/Egress)
iptables -A FORWARD -i $WAN_INTERFACE -s $WAN_ADDRESSES -j DROP
iptables -A FORWARD -i $WAN_INTERFACE -s $LAN_ADDRESSES -j DROP
iptables -A FORWARD -o $WAN_INTERFACE -s $WAN_ADDRESSES -j DROP
# Allow previously initiated and accepted connections
# to bypass firewall tests (state matching)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Remove INVALID state packets to stablize state connections
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
# This will allow SSH in/out from TIC ADMIN IP to LAN interface
iptables -A INPUT -p tcp --dport $WAN_SSH_PORT -i $LAN_INTERFACE -j ACCEPT
iptables -A OUTPUT -p tcp --sport $WAN_SSH_PORT -o $LAN_INTERFACE -j ACCEPT
# This will allow SSH forwarding from/to INT_SERVER Server
iptables -A FORWARD -s $INT_SERVER_IP -j ACCEPT
iptables -A FORWARD -d $INT_SERVER_IP -j ACCEPT
# This will forward inbound WAN SSH to LAN INT_SERVER with port remapping
iptables -t nat -A PREROUTING -p tcp --dport $WAN_SSH_PORT -i $WAN_INTERFACE -j DNAT --to $INT_SERVER_IP:$INT_SERVER_SSH_PORT