On 02/25/17 13:39, Infoomatic wrote:
Now I want the host 192.168.200.170 to get an icmp type 3 code 3 return when it wants to connect
to any ip-address to tcp-port 22. I have tried various ways, e.g.
iptables -A FORWARD -p tcp --source 192.168.200.170 --dest X.X.X.X -j REJECT
This rule works but the client does not get notified so when it connects it just gets a timeout
If you want it "for any host" then you don't want a "--dest" stanza at all.
If you want "any host on my subnet" then you need the subnet mask, not
just any host but just any host on the subnet, you want "--destination
192.168.200.0/24"
Keep in mind that "0.0.0.0" is a specific address, while "0.0.0.0/0" is
the range of all possible addresses. Not specifying an address at all is
functionally the same as specifying the range of all addresses.
If you want it for "tcp port 22" then you need a "--dport 22" stanza.
Note that FORWARD is only for forwarding so if you are testing by trying
to telnet to the firewall itself then you are hitting the INPUT table
not the forwarding table.
Use "iptables --list --verbose" to see which rules are being hit by your
attempted connection. Do this before and after the attempt to see which
rules' or policy's counter(s) was incremented by the attempt.
So "iptables -A FORWARD -p tcp --source 192.168.200.170 --dport 22 -j
REJECT" does what you say you want for all hosts _except_ the firewall
itself.
You may separately need "iptables -A INPUT -p tcp --source
192.168.200.170 --dport 22 -j REJECT" if you want the firewall itself to
reject telnet attempts.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
