Rule for internal ping on firewall

Centinul · 08-27-2005, 01:04 AM

I'm trying to setup a rule that allows internal systems to ping the firewall and the firewall to ping the internal systems.

If I try pinging the firewall internally with a windows laptop I keep getting "Request Timed Out" errors. This also happens when I try to ping www.google.com

If I try and ping the internal interface on the firewall I get "Destination Port Unreachable" errors.

The firewall can ping out to the internet though. Although it can't be pinged from the outside which is what I want

Here are the rules I have setup for ping, please correct

Code:

# Allow firewall to ping out
$IPT  -A OUTPUT -o $EXTIF -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT

# Allow internal systems to ping out
$IPT -A FORWARD -i $INTIF -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT

# Allow firewall to ping internal systems
$IPT  -A OUTPUT -o $INTIF -s $INTNET -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT

# NOTE I've ALSO TRIED THE ABOVE CODE LIKE THIS
#$IPT  -A OUTPUT -o $INTIF -d $INTNET -p icmp --icmp-type 8 -m state --state #NEW -j ACCEPT

Thanks!

nixcraft · 08-27-2005, 02:11 AM

Your rule seems to be not correct.

I think in your following rule --icmp-type 8 creats problem, so you need NOT use that.
$IPT -A OUTPUT -o $EXTIF -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT

See url for example, I has same problem but when I removed --icmp-type 8 (yah it is for ping-echo type) it works.
http://www.cyberciti.biz/nixcraft/vi...icmp-ping.html

http://www.cyberciti.biz/nixcraft/vi...-incoming.html

Hope this helps

Centinul · 08-27-2005, 08:21 AM

I tried removing the --icmp-type match and it still didn't work.

homey · 08-27-2005, 09:41 AM

I'm not sure if this will do for you but here's how it looks in a script I use.....

Code:

# This rule will accept connections from local machines.
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -s 192.168.0.0/24 -d 0/0 -p all -j ACCEPT

# DROP bad packets.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "TCP_FLAGS1 "
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "TCP_FLAGS2 "
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "TCP_FLAGS3 "
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "TCP_FLAGS4 "
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "TCP_FLAGS5 "
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "TCP_FLAGS6 "
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# DROP icmp, but only after letting certain types through.
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT

$IPTABLES -A INPUT -p icmp -j LOG --log-prefix "ICMP_TYPE "
$IPTABLES -A INPUT -p icmp -j DROP