netfilter-bounces@xxxxxxxxxxxxxxxxxxx wrote: >>> to be able to make pings inside my network. At the moment i am >>> trying to ping my linux box from an windows terminal and i get >>> request timed out. >> >> You don't give much information about what you've done already, but >> you have probably set the policy for the INPUT chain to DROP so it >> will drop any packet for which NF has no rule to accept it. >> In that case you'll have to accept ICMP traffic from your LAN : >> iptables -A INPUT -i $IF_LAN -s $IP_LAN -p icmp -j ACCEPT >> >> If you have also set policy to DROP for the OUTPUT chain, you'll want >> to be able to send the reply packets : >> iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >> > > Doesnt; this also require a FORWARD rule for other systems > inside the lan to talk to one another AFAIK hosts inside the LAN would ping directly to each other, not through the firewall, so I don't see reason to include such a rule in the FORWARD chain. > And might not the OUTPUT rulke include NEW, incase he wants replies > from the FW tself to be returned? If a ping request comes in (state NEW), I suppose the ping-reply would have state ESTABLISHED which will be accepted with the second rule above. He would however require some rule in the OUTPUT chain (if policy set to DROP) if he wants to be able so make connections *from* the firewall (state NEW). Gr, Rob
