LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Prevent other to ping the server
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-04-2003, 04:11 AM   #1
kelper
Member
 
Registered: Jan 2003
Posts: 77

Rep: Reputation: 15
Cool Prevent other to ping the server

I'm using mandrake 9.1 and iptable for the firewall
I don't want anyone to ping (icmp) my firewall
How to set it ?

#!/bin/sh
echo "Firewall Starting..."
echo 1 > /proc/sys/net/ipv4/ip_forward

modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc

EXT_INTERFACE="eth0"
INT_INTERFACE="eth1"
DMZ_INTERFACE="eth2"
INT_ADDRESS="10.121.64.0/255.255.254.0"
DMZ_ADDRESS="192.168.0.0/255.255.255.0"
Real_EXT_IP_1="203.x.x.x"
Real_EXT_IP_2="203.y.y.y"
ANY="0.0.0.0/0"
BROADCAST_DEST="255.255.255.255"

## Default Policy ####

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

## Clear perious setting
iptables -F
iptables -t nat -F
iptables -t mangle -F

###############
echo "INPUT Policy"
########## INPUT #######################################
iptables -A INPUT -i $EXT_INTERFACE -s $INT_ADDRESS -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $INT_INTERFACE -s $INT_ADDRESS -d $ANY -j ACCEPT
iptables -A INPUT -i $DMZ_INTERFACE -s $DMZ_ADDRESS -d $ANY -j ACCEPT


########### ALLOW INCOMING PORT ###########################

iptables -A INPUT -p icmp -s $ANY -d $Real_EXT_IP_1 -j ACCEPT
iptables -A INPUT -p tcp -s $ANY -d $Real_EXT_IP_1 --dport 22 -j ACCEPT
iptables -A INPUT -p udp -s $ANY -d $Real_EXT_IP_1 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s $ANY -d $Real_EXT_IP_1 --dport 80 -j ACCEPT

iptables -A INPUT -p icmp -s $ANY -d $Real_EXT_IP_2 -j ACCEPT
iptables -A INPUT -p tcp -s $ANY -d $Real_EXT_IP_2 --dport 22 -j ACCEPT
iptables -A INPUT -p udp -s $ANY -d $Real_EXT_IP_2 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s $ANY -d $Real_EXT_IP_2 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -s $ANY -d $Real_EXT_IP_2 --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -s $ANY -d $Real_EXT_IP_2 --dport 80 -j ACCEPT


echo "FORWARD Policy"
############ FORWARD ######################################
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $INT_INTERFACE -s $INT_ADDRESS -d $ANY -j ACCEPT
iptables -A FORWARD -i $DMZ_INTERFACE -s $DMZ_ADDRESS -d $ANY -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -i $EXT_INTERFACE -s $DMZ_ADDRESS -j ACCEPT
iptables -A FORWARD -i $EXT_INTERFACE -s $INT_ADDRESS -j ACCEPT
iptables -A FORWARD -i $EXT_INTERFACE -s $ANY -d $Real_EXT_IP -j ACCEPT
iptables -A FORWARD -i $EXT_INTERFACE -s $ANY -d 192.168.0.1 -j ACCEPT
iptables -A FORWARD -i $EXT_INTERFACE -s $ANY -d 10.121.64.1 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -s $ANY -d $Real_EXT_IP_1 --dport 80 -j DNAT --to 192.168.0.100:80
iptables -A FORWARD -p tcp -d 192.168.0.100 --dport 80 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.100 -d $ANY --dport 80 -j SNAT --to $Real_EXT_IP_1:80

########## ftp server ###########
iptables -t nat -A PREROUTING -p tcp -s $ANY -d $Real_EXT_IP_2 --dport 80 -j DNAT --to 192.168.0.50:80
iptables -A FORWARD -p tcp -d 192.168.0.50 --dport 80 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.50 -d $ANY --dport 80 -j SNAT --to $Real_EXT_IP_2:80

iptables -t nat -A PREROUTING -p tcp -s $ANY -d $Real_EXT_IP_2 --dport 21 -j DNAT --to 192.168.0.50:21
iptables -A FORWARD -p tcp -d 192.168.0.50 --dport 21 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.50 -d $ANY --dport 21 -j SNAT --to $Real_EXT_IP_2:21

iptables -t nat -A PREROUTING -p tcp -s $ANY -d $Real_EXT_IP_2 --dport 20 -j DNAT --to 192.168.0.50:20
iptables -A FORWARD -p tcp -d 192.168.0.50 --dport 20 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.50 -d $ANY --dport 20 -j SNAT --to $Real_EXT_IP_2:20


######## REDIRECT #################
######## Transparent Proxy ###############
#iptables -t nat -A PREROUTING -i $INT_INTERFACE -p tcp -s $INT_ADDRESS -d ! 192.168.1.0/24 --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i $DMZ_INTERFACE -p tcp -s $DMZ_ADDRESS -d ! 192.168.1.0/24 --dport 80 -j REDIRECT --to-port 3128


######## Many-to-one NAT ##############

iptables -t nat -A POSTROUTING -j MASQUERADE -s $INT_ADDRESS -d $ANY -o ppp0
iptables -t nat -A POSTROUTING -j MASQUERADE -s $DMZ_ADDRESS -d $ANY -o ppp0
echo "Firewall Done."
Last edited by kelper; 09-06-2003 at 06:08 AM.
 
Old 09-04-2003, 04:39 AM   #2
aqoliveira
Member
 
Registered: Dec 2001
Location: Portugal
Distribution: /Red Hat/Fedora/Solaris
Posts: 622

Rep: Reputation: 30
hi

u can block pings in /etc/sysctl.conf. Edit this files and type the following entry:

#Enable ignoring ping request
net.ipv4.icmp_echo_ignore_all = 1

This should do the trick

Cheers
 
Old 09-04-2003, 04:50 AM   #3
Bebo
Member
 
Registered: Jul 2003
Location: Göteborg
Distribution: Arch Linux (current)
Posts: 553

Rep: Reputation: 31
I think you can also be a bit more restrictive in what icmp packets you let in. This takes more space in your script, but instead of accepting any of them, you accept specific icmp's:

Code:
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp --icmp-type redirect -j ACCEPT
iptables -A INPUT -p icmp --icmp-type router-advertisement -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
With "iptables -p icmp -h" you can see the valid icmp types.

But of course, aqoliveira's way is shorter, hence better
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to have prevent X server to... melopll *BSD 4 08-29-2005 05:45 PM
how to prevent x server from starting? iansworld Fedora 5 02-20-2005 03:40 AM
windows 98 m/c ping to ip address of red hat server but fails to ping hostname ravilohot Linux - Networking 2 09-07-2004 04:57 AM
How to prevent X server from opening port 6000 glock19 Linux - General 5 05-23-2002 03:19 PM
How to prevent telneting to my mail server on port 25 adamrau Linux - Networking 7 10-24-2001 09:44 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:27 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration