Re: Quick help with stateless firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

IPv4 doesn't work very well without ICMP; generally, one should always accept 
it, in and out. However, it's OK to drop icmp-type=8 (ECHO requests) on input 
from non-local sources when the system should not respond to pings from 
others.

On Saturday, June 15, 2013 07:50:34 PM Bryan Harris wrote:
> I think you need this,
> 
> iptables -I INPUT -p icmp --icmp-type 8 -j ACCEPT
> 
> You can also do -j LOG to see what makes it to a certain place in the
> chain.
> 
> Bryan
> 
> On Jun 15, 2013, at 7:38 PM, Alex Flex <aflexzor@xxxxxxxxx> wrote:
> > Hello,
> > 
> > I have the following simpel stateless firewall... the issue is iam not
> > able to send ICMPs queries from within the machine. What could I modify
> > or add for this to be able to happen .  Also iam only intending to run a
> > HTTP service and DNS service is it fine the way it is?
> > 
> > Also, I intend to keep the script stateless not wanting to use conntrack
> > at all.
> > 
> > Thanks
> > Alex
> > 
> > 
> > #!/bin/bash
> > 
> > /sbin/iptables -F
> > /sbin/iptables -X
> > 
> > /sbin/iptables -P INPUT DROP
> > /sbin/iptables -P FORWARD DROP
> > /sbin/iptables -P OUTPUT ACCEPT
> > 
> > #Accept SSH
> > /sbin/iptables -A INPUT -p tcp -m tcp -s 204.199.62.74 --dport 22 -j
> > ACCEPT
> > 
> > /sbin/iptables -A INPUT -p tcp --dport 1000:65535 -j ACCEPT
> > /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> > /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
> > /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT
> > 
> > 
> > --
> > To unsubscribe from this list: send the line "unsubscribe netfilter" in
> > the body of a message to majordomo@xxxxxxxxxxxxxxx
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux