Re: How to block ping?

Ding Li <achillis2002@xxxxxxxxxxxx> · Thu, 06 Nov 2003 08:30:16 -0800

I just tried your rules for iptables. It seems that it does not work, at 
least for me.

$ pwd

/etc/sysconfig

$ cat iptables

# Firewall configuration written by lokkit

# Manual customization of this file is not recommended.

# Note: ifup-post will punch the current nameservers through the

#       firewall; such entries will *not* be listed here.

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:RH-Lokkit-0-50-INPUT - [0:0]

-A INPUT -s 192.168.0.2/24 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT               <---- 
line added

-A INPUT -p icmp -m icmp -j 
DROP                                             <---- line added

-A INPUT -j RH-Lokkit-0-50-INPUT

-A FORWARD -j RH-Lokkit-0-50-INPUT

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 110 --syn -j ACCEPT

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 139 --syn -j ACCEPT

-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT

-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 128.97.10.2 --sport 53 -d 0/0 
-j ACCEPT

-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 128.97.10.7 --sport 53 -d 0/0 
-j ACCEPT

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT

-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT

COMMIT

$ /etc/init.d/iptables restart

After I have done these, I still can ping my m/c from other m/c. :( 
What's wrong?

Ding

mgalgoci@xxxxxxxxxx wrote:

On Wed, 5 Nov 2003, Ding Li wrote:

Could someone tell me how to block pings in redhat 9.0? I know I should 
put a line in /etc/sysconfig/iptables. But I dont know how the line 
like.:( 

Be careful about blocking all of icmp. If you do not allow icmp types 3 and 4

you will break pmtu discovery and you will experience problems weird reaching 
other networks.

You probably want something like:

[0:0] -A INPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
[0:0] -A INPUT -p icmp -m icmp -j DROP

But if you are asking these sorts of questions then you _really_ should go and read

and understand the iptables howto: 

http://www.netfilter.org/unreliable-guides/packet-filtering-HOWTO/index.html

Alternately, refering to the iptables man page isn't a bad idea either.

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list