PDA

Click to See Complete Forum and Search --> : specifying icmp types in iptables

Pras
03-05-2001, 10:53 PM
So, is it obvious yet that I'm struggling with iptables? :confused: Anyway, that's the question. How can I specify a range of icmp types in iptables. Here's the line in question:

iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 13:255 -j DROP

The `\` is not the problem. I removed it and tried it. I also tried specifying icmp types for two different types. ie; ....--icmp type 13 --icmp type 14.... and this went through. However, I don't know if this covers both 13 and 14 or if it takes the first one specified. If it does take both, do I have to do that for each type that I want to filter...?
Algemon
03-06-2001, 06:23 AM
Here is an excerpt of something I found earlier:
# Block ping scans of our machine/network, but
allow the IP $pinger to
# ping the (non-router) hosts
#
# Get a list of ICMP types with this command:
#
# iptables -p icmp -help

$pinger = some_ip_address

iptables -A FORWARD -s $pinger -p icmp --icmp-type
echo-requested -j ACCEPT
iptables -A FORWARD -d $pinger -p icmp --icmp-type
echo-reply -j ACCEPT

iptables -A INPUT -p icmp --icmp-type
echo-requested -j DROP
iptables -A OUTPUT -p icmp --icmp-type echo-reply
-J DROP

However, you can really simplify things if your situation is simple. For example, if all you want to do is allow related icmp packets back in - eg:
(4) Source_Quench
(12) Parameter_Problem
(3) Dest_Unreachable, Service_Unavailable
(11) Time_Exceeded
(8) Echo Request (Ping)
(0) Echo Reply (Pong)

Then you could do what I did. Here are some example rules:

#------------------------ Don't speak unless spoken to ------------------------#
# These next 4 rules establish the classic Don't speak unless spoke to firewall

# 1. Allow us to initiate TCP connections to anywhere
iptables -A OUTPUT -o $EXT_IF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# 2. No INVALID packets
iptables -A INPUT -i $EXT_IF -m state --state INVALID -j log_invalid

# 3. Allow only established and related packets to come in. This includes:
# Related ICMP error messages, Packets establishing a FTP data connection,
# and also the udp/tcp requests to DNS servers (udp/tcp port 53)
iptables -A INPUT -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

# 4. No one allowed to connect to us
iptables -A INPUT -i $EXT_IF -m state --state NEW -j log_in_new

#--------------------------------------------------#

Here you can see that you can make use of the new iptable stateful stuff. Thus you only allow in those icmp packets which you need to allow or which you requested with ping.

It is much simpler to code and understand and tighter. Of course if you are trying to specifically allow icmp packets from certain addresses which have not been initiated by you then you will have to do something like in the first rules.

Hope that helps.