ipcop, block icmp on red interface

webstuff · 02-14-2005, 07:31 AM

Hi all

I'm having fun with ip cop at the moment which i have just installed. It's all running well but I would like to make some changes to the way it works. I wish to block icmp to the red int ip of it from the wan. Any ideas how i do this i presume i will need to modify a script somewhere? Any ideas would be appreciated.

regards

webstuff

win32sux · 02-14-2005, 07:41 AM

the iptables rule to block all icmp traffic from one zone to another would look like this:

Code:

iptables -A FORWARD -p ICMP -i ethX -o ethY -j DROP

obviously you'd need to replace ethX and ethY with your actual interfaces...

webstuff · 02-14-2005, 08:30 AM

Hi

thanks for the response. I think i explained this wrong. the red int currently allows icmp from any devices connected to it through a cable to a router. I wish to block icmp from devices attached to this router, so it is not actually an interface on the ipcop to block the traffic coming from. rather something like a 192.168.*.* range. any further ideas?

cheers

win32sux · 02-14-2005, 08:44 AM

this example would block icmp on that interface only when the packets are coming from subnet 192.168.0.0/24:

Code:

iptables -A FORWARD -p ICMP -i ethX -o ethY -s 192.168.0.0/24 -j DROP

webstuff · 02-15-2005, 04:11 AM

Hi

which file do i have to modify to add this line? on smoothwal it was sonething like firewall.up i think.

cheers

win32sux · 02-15-2005, 07:15 AM

i'm not sure. i've never used ipcop. but doesn't it have like a web interface or something where you can add new custom firewall rules??

webstuff · 02-15-2005, 10:34 AM

Hi

This is what im confused of, there is nothing in the gui about adding rules for blocking access, rules as there for allowing access. I was quite surprised you could ping the outside interface of the ipcop at all, this is not something i would expect to see allowed. unfortunately the main english support site www.ipcops.com and net are down and have been for a while i think. this is why i have posted here in case anyone had experiance of it. the joys. Cheers anyway

merize147 · 03-05-2005, 10:57 AM

Not sure if anyone is still following these tread but here you go:

1) Edit the firewall rc script (/etc/rc.d/rc.firewall)
find line (/sbin/iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT)
(line 152 for me.)
change to (/sbin/iptables -A INPUT -p icmp --icmp-type 8 -j DROP)

2) Reboot

There is also another file for personal rules (/etc/rc.d/rc.firewall.local)

jml75 · 03-18-2005, 05:11 PM

The address is www.ipcop.org not . com

floppywhopper · 04-18-2005, 09:43 PM

I'm now following this thread as I think I have the same problem.

would that mean going into the secure shell thingy
and editing that file ?

and yes I was surprised to fing IP Cop replying to pings

floppy