Hi all. Apologies if this is a FAQ.

Typical 2-nic firewall setup:

eth0 is the Internet-facing interface, getting an IP via DHCP from my cable modem.
eth1 is the local-facing interface, routing to 192.168.1.0/24.

The firewall can ping 192.168.1.x hosts.
The 192.168.1.x hosts can ping both eth1 and eth0.
The 192.168.1.x hosts can ping Internet hosts.
The 192.168.1.x hosts have full Internet access.

HOWEVER.

The firewall itself cannot ping Internet hosts. Observe:

[zach@<obfuscated> ~]$ sudo ping -I eth0 <yahoo>
Password:
PING <yahoo> (209.73.186.238) from 24.218.42.122 eth0: 56(84) bytes of data.

--- <yahoo> ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms


[zach@<obfuscated> ~]$ sudo ping -I eth1 <yahoo>
PING <yahoo> (209.73.186.238) from 192.168.1.254 eth1: 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

--- <yahoo> ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2001ms

(Replace <yahoo> with the expected address, first post and I can't post a URL.)

While there's no pressing NEED for me to be able to ping internet hosts from my firewall (since everything else works) it would be useful for troubleshooting purposes, when my cablemodem decides to crap itself. I'm sure I just need to add a rule to my INPUT chain (possibly to FORWARD as well?) but I am having a hardtime figuring it out. Relatively new to iptables.

TIA for any help or suggestions

I believe that the firestarter program uses iptables and is very easy to configure. You could install it and then set it to allow ping through.

Hey, I think you should look into the settings for iptables where the ICMP protocol is accepted if the state is Established. You probably tried to keep from being pinged, but was a tad bit overzealous.

I used to have a firewall that I did on my own and here is the ping rules I had in there: