El lun, 20 de 12 de 2004 a las 08:34, Rob Sterenborg escribiÃ: > You don't give much information about what you've done already, but you > have probably set the policy for the INPUT chain to DROP so it will drop > any packet for which NF has no rule to accept it. > In that case you'll have to accept ICMP traffic from your LAN : > iptables -A INPUT -i $IF_LAN -s $IP_LAN -p icmp -j ACCEPT > > If you have also set policy to DROP for the OUTPUT chain, you'll want to > be able to send the reply packets : > iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > > Gr, > Rob It would be even better if he only accepts the echo-request and echo-reply packets. That will allow pings but will deny other kind of icmp packets that could be harmful. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@xxxxxxxxx bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÃA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road"
