El Lunes 21 Febrero 2005 05:35, Shiraz Baig escribió: > Sir, > I am trying to see the working of iptables. I read the > relevantHOWTOs and tried an experiment to get an icmp > packet rejected. This experiment is from one of the > HOWTOs. But my experiment has not succeeded. > > Could someone tell me why my ICMP packet was not > rejected in spite of the fact that rules show that it > should be rejected. > > Here is what I did. > > Step 1: > I did the following to test that icmp protocol packets > are allowed: > #ping -c 1 127.0.0.1 > > I got the response: > > --- 127.0.0.1 ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, > time 0ms > It showed icmp packets can go thru. > > Step 2: > I checked the rules to make sure the above fact. > #iptables -L > I got the response: > --------- response ---------- > Chain INPUT (policy ACCEPT) > target prot opt source destination > > RH-Lokkit-0-50-INPUT all -- anywhere > anywhere > ................ remaining skipped ............ > > Step 3: > Now I gave a command to deny the icmp proto packets. > # iptables -A INPUT -s 127.0.0.1 -p icmp -j REJECT > > Step 4: > Now I wanted to check that the icmp proto packets are > not allowed. > First I checked the rules. > #iptables -L > I got the response: > --------- response --------------------- > Chain INPUT (policy ACCEPT) > target prot opt source destination > > RH-Lokkit-0-50-INPUT all -- anywhere > anywhere > REJECT icmp -- localhost.localdomain anywhere > reject-with icmp-port-unreachable > > .................. remaining clipped ............. > > Step 5: > Now I gave the command ping to see that icmp packets > are rejected. > # ping -c 1 127.0.0.1 > > I got the response: > --- 127.0.0.1 ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, > time 0ms > > It showed that the packet was not rejected. It is > stilll allowed to pass thru. > > Question > My question is why this packet was not rejected. The > ruleset shows that this packet should be rejected. But > it has been accepted. Why? > bye > shiraz You should put the --icmp-type, for example, if you want to reject the echo type, it's number eight this rule should work: iptables -A INPUT -s 127.0.0.1 -p icmp --icmp-type 8 -j DROP Cheers -- Manuel Arostegui Ramirez #Linux Registered User 200896 Socio de Hispalinux 1813 Red Hat Linux 9, Kernel 2.6.2 ReiserFS Firma cifrada -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+3O1MqfmPcHTj+twRAm yDAJ9P6ezepIMg06vOet/YPKxVoB+Z/ACfWVhh ---END PGP SIGNATURE----- -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
