Hi people, i´m configuring a firewall with iptables and have a little trouble. I want filter the icmp packets type 3 and 11 (destination-unreachable and time-exceeded). I want that the firewall block all packets of this type that don´t be RELATED to another connection. I tried with this rule: iptables -A -p icmp --icmp-type 3 -m state --state RELATED -j ACCEPT but this don´t work. I hace tried all combinations of state value ( NEW,ESTABLISHED,RELATED) but nothing seems work. However, the icmp type echo-reply and echo-request works fine with state control (NEW and ESTABLISHED): iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT iptables -A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED -j ACCEPT Is it possible only a type of icmp packets works with state control? Is it a bug? I hope someone can help me, than you. Carlos.
