No one can ping me, but I cannot ping them!

danielw · 08-18-2003, 03:01 AM

Hello, I'll make it short and sweet.

I have this firewall rule setup on my computer, but for some strange reason I cannot ping outside of my network. It was designed to stop people pinging me but instead I find I'm having trouble pinging out.

Here is the rule I'm using:
------------------<snipet>-------------------
iptables --append INPUT --protocol icmp --in-interface ppp0 --jump REJECT --reject-with icmp-net-unreachable
------------------<snipet>-------------------

Any help is greatly appreciated

jalal · 08-18-2003, 03:19 AM

this rule will also block the ping reply, i.e., you can send ECHO REQUEST, but can't receive the ECHO REPLY because the rule is blocking inbound ICMP.

Therefore, in effect, you can't ping outside your network with that rule in place.

danielw · 08-18-2003, 03:27 AM

Ahhh I understand now. Takes awhile for me to grasp these networking concepts. Could any perhaps suggest a more sensible rule?

jalal · 08-18-2003, 03:35 AM

hmm, you can try adding this instead:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

and setting the input policy to drop.

iptables -P INPUT DROP

this will allow replies to any request you send, while not allowing any request to get to your machine.

danielw · 08-19-2003, 01:35 AM

That last rule you gave me prevented ethernet connections, and I want those so here is a rule that prevents ppp0 but allows everything else to make new connections...

# Create chain which blocks new connections, except if coming from inside
iptables --new-chain block
iptables --append block --match state --state ESTABLISHED,RELATED --jump ACCEPT
iptables --append block --match state --state NEW --in-interface ! ppp0 --jump ACCEPT
iptables --append block --jump DROP

# Jump to that chain from INPUT and FORWARD chains.
iptables --append INPUT --jump block
iptables --append FORWARD --jump block

This so far seems to work fine.

danielw · 08-20-2003, 02:42 AM

Hrrm!

That last rule I posted works with everything but a few IRC servers, namely austnet. Why would this be? Can anybody suggest a better rule?

unSpawn · 08-20-2003, 05:39 PM

What you could do is add a LOG target rule before making "final verdicts" in a chain. This will help you troubleshoot what gets DROPped instead of ACCEPTed. Like ident requests (TCP/113) most IRC servers need a response for, for example.

danielw · 08-21-2003, 03:23 AM

You are probably right, would you have any practical examples of how this is achieved?

danielw · 08-21-2003, 04:29 AM

I added this exception to my previous firewall rule (quoted below)

* iptables --append block --match state --state NEW --protocol tcp --destination-port 113 --jump ACCEPT

Quote:

# Create chain which blocks new connections, except if coming from inside
iptables --new-chain block
iptables --append block --match state --state ESTABLISHED,RELATED --jump ACCEPT
iptables --append block --match state --state NEW --in-interface ! ppp0 --jump ACCEPT
iptables --append block --jump DROP

# Jump to that chain from INPUT and FORWARD chains.
iptables --append INPUT --jump block
iptables --append FORWARD --jump block

I'm happy to say that it seems to be working now.