Software
 » 
Debian
 » 
debian-amd64

IPTables allow ping.

View: New views
8 Messages — Rating Filter:   Alert me  

IPTables allow ping.

by Bharath Ramesh-2 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

I have a debian amd64 box. I am writing a set of firewall rules. I want
to be able to ping my machine from outside. I wrote the following rule.
I am still unable to ping my machine from outside. Could someone verify
that my rule is correct.

# Allow to/be ping(ed).
$IPT --append INPUT --in-interface $EXTIF --protocol icmp --icmp-type 0 \
      --destination $EXTIP --match state --state NEW,ESTABLISHED,RELATED \
      --jump ACCEPT
$IPT --append INPUT --in-interface $EXTIF --protocol icmp --icmp-type 8 \
        --destination $EXTIP --match state --state NEW,ESTABLISHED,RELATED \
        --jump ACCEPT
$IPT --append OUTPUT --out-interface $EXTIF --protocol icmp --icmp-type 0 \
        --source $EXTIP --match state --state NEW,ESTABLISHED,RELATED \
        --jump ACCEPT
$IPT --append OUTPUT --out-interface $EXTIF --protocol icmp --icmp-type 8 \
        --source $EXTIP --match state --state NEW,ESTABLISHED,RELATED \
        --jump ACCEPT

I am able to ping other m/c from my m/c but I am not able to ping from
outside.

Thanks,

Bharath

---
Bharath Ramesh       <bramesh@...>       http://people.cs.vt.edu/~bramesh


--
To UNSUBSCRIBE, email to debian-amd64-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...


Re: IPTables allow ping.

by Bugzilla from Ernestjw@xs4all.nl :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message


I haven't checked your rules, but if you have a modem/router (dsl or  
other), is configured to allow all icmp ? (just to be sure of course)

Ernest


On 13 Jun, 2008, at 21:29, Bharath Ramesh wrote:

> I have a debian amd64 box. I am writing a set of firewall rules. I  
> want
> to be able to ping my machine from outside. I wrote the following  
> rule.
> I am still unable to ping my machine from outside. Could someone  
> verify
> that my rule is correct.
>
> # Allow to/be ping(ed).
> $IPT --append INPUT --in-interface $EXTIF --protocol icmp --icmp-
> type 0 \
>      --destination $EXTIP --match state --state  
> NEW,ESTABLISHED,RELATED \
>      --jump ACCEPT
> $IPT --append INPUT --in-interface $EXTIF --protocol icmp --icmp-
> type 8 \
> --destination $EXTIP --match state --state NEW,ESTABLISHED,RELATED \
> --jump ACCEPT
> $IPT --append OUTPUT --out-interface $EXTIF --protocol icmp --icmp-
> type 0 \
> --source $EXTIP --match state --state NEW,ESTABLISHED,RELATED \
> --jump ACCEPT
> $IPT --append OUTPUT --out-interface $EXTIF --protocol icmp --icmp-
> type 8 \
> --source $EXTIP --match state --state NEW,ESTABLISHED,RELATED \
> --jump ACCEPT
>
> I am able to ping other m/c from my m/c but I am not able to ping from
> outside.
>
> Thanks,
>
> Bharath
>
> ---
> Bharath Ramesh       <bramesh@...>       http://people.cs.vt.edu/~bramesh
>
>
> --
> To UNSUBSCRIBE, email to debian-amd64-REQUEST@...
> with a subject of "unsubscribe". Trouble? Contact listmaster@...
>


--
To UNSUBSCRIBE, email to debian-amd64-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...


Re: IPTables allow ping.

by Bharath Ramesh-2 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

I am not behind any modem/router this my dedicated server that I am just
setting it up.

Thanks,

Bharath

* Ernest ter Kuile (ernestjw@...) wrote:

>
> I haven't checked your rules, but if you have a modem/router (dsl or  
> other), is configured to allow all icmp ? (just to be sure of course)
>
> Ernest
>
>
> On 13 Jun, 2008, at 21:29, Bharath Ramesh wrote:
>
>> I have a debian amd64 box. I am writing a set of firewall rules. I  
>> want
>> to be able to ping my machine from outside. I wrote the following  
>> rule.
>> I am still unable to ping my machine from outside. Could someone  
>> verify
>> that my rule is correct.
>>
>> # Allow to/be ping(ed).
>> $IPT --append INPUT --in-interface $EXTIF --protocol icmp --icmp-type 0
>> \
>>      --destination $EXTIP --match state --state  
>> NEW,ESTABLISHED,RELATED \
>>      --jump ACCEPT
>> $IPT --append INPUT --in-interface $EXTIF --protocol icmp --icmp-type 8
>> \
>> --destination $EXTIP --match state --state NEW,ESTABLISHED,RELATED \
>> --jump ACCEPT
>> $IPT --append OUTPUT --out-interface $EXTIF --protocol icmp --icmp-
>> type 0 \
>> --source $EXTIP --match state --state NEW,ESTABLISHED,RELATED \
>> --jump ACCEPT
>> $IPT --append OUTPUT --out-interface $EXTIF --protocol icmp --icmp-
>> type 8 \
>> --source $EXTIP --match state --state NEW,ESTABLISHED,RELATED \
>> --jump ACCEPT
>>
>> I am able to ping other m/c from my m/c but I am not able to ping from
>> outside.
>>
>> Thanks,
>>
>> Bharath
>>
>> ---
>> Bharath Ramesh       <bramesh@...>       http://people.cs.vt.edu/~bramesh
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-amd64-REQUEST@...
>> with a subject of "unsubscribe". Trouble? Contact listmaster@...
>>
>
>
> --
> To UNSUBSCRIBE, email to debian-amd64-REQUEST@...
> with a subject of "unsubscribe". Trouble? Contact listmaster@...

---
Bharath Ramesh       <bramesh@...>       http://people.cs.vt.edu/~bramesh


--
To UNSUBSCRIBE, email to debian-amd64-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...


Re: IPTables allow ping.

by Antonio Galindo Castro :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hello try with:

traceroute to see what happens.

>From the man page:

 traceroute tracks the route packets taken from an IP network on their
way to a given host. It utilizes the IP protocol's time to live (TTL)
field and attempts to elicit an ICMP TIME_EXCEEDED response from each
gateway along the path to the host.

Maybe is something in the middle.


--
Luis Antonio Galindo Castro aka FunkyM0nk3y
Fingerprint: 237E EFE1 6055 BCEB ACD0 7A49 30FC A883 0044 A85E


--
To UNSUBSCRIBE, email to debian-amd64-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...


Re: IPTables allow ping.

by Scott Edwards-4 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message


--- Ernest ter Kuile <ernestjw@...> wrote:

>
> I haven't checked your rules, but if you have a
> modem/router (dsl or  
> other), is configured to allow all icmp ? (just to
> be sure of course)
>
> Ernest

Also, you may want to verify that your kernel is
allowing icmp packets:

root@satellite:/proc/sys/net/ipv4# cat
icmp_echo_ignore_all

If you see the number 1, icmp packets (i.e., ping)
will be ignored. You can change it with this command:

root@satellite:/proc/sys/net/ipv4# echo "0" >
icmp_echo_ignore_all


-- Scott





>
>
> On 13 Jun, 2008, at 21:29, Bharath Ramesh wrote:
>
> > I have a debian amd64 box. I am writing a set of
> firewall rules. I  
> > want
> > to be able to ping my machine from outside. I
> wrote the following  
> > rule.
> > I am still unable to ping my machine from outside.
> Could someone  
> > verify
> > that my rule is correct.
> >
> > # Allow to/be ping(ed).
> > $IPT --append INPUT --in-interface $EXTIF
> --protocol icmp --icmp-
> > type 0 \
> >      --destination $EXTIP --match state --state  
> > NEW,ESTABLISHED,RELATED \
> >      --jump ACCEPT
> > $IPT --append INPUT --in-interface $EXTIF
> --protocol icmp --icmp-
> > type 8 \
> > --destination $EXTIP --match state --state
> NEW,ESTABLISHED,RELATED \
> > --jump ACCEPT
> > $IPT --append OUTPUT --out-interface $EXTIF
> --protocol icmp --icmp-
> > type 0 \
> > --source $EXTIP --match state --state
> NEW,ESTABLISHED,RELATED \
> > --jump ACCEPT
> > $IPT --append OUTPUT --out-interface $EXTIF
> --protocol icmp --icmp-
> > type 8 \
> > --source $EXTIP --match state --state
> NEW,ESTABLISHED,RELATED \
> > --jump ACCEPT
> >
> > I am able to ping other m/c from my m/c but I am
> not able to ping from
> > outside.
> >
> > Thanks,
> >
> > Bharath
> >
> > ---
> > Bharath Ramesh       <bramesh@...>      
> http://people.cs.vt.edu/~bramesh
> >
> >
> > --
> > To UNSUBSCRIBE, email to
> debian-amd64-REQUEST@...
> > with a subject of "unsubscribe". Trouble? Contact
> listmaster@...
> >
>
>
> --
> To UNSUBSCRIBE, email to
> debian-amd64-REQUEST@...
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@...
>
>



     


--
To UNSUBSCRIBE, email to debian-amd64-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...


Re: IPTables allow ping.

by Bharath Ramesh-2 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Thanks for the help, I managed to fix it. The problem was at my hosting
providers end. They had messed up the routing table, since I was
connected using DRAC and I didnt notice that I wasnt able to connect.

That was the first file I checked when I couldnt ping the machine.
icmp_echo_ignore_all is set 0.

I tried tracerouting, it goes all the way to the gateway and then my
machine does not respond. Probably I need to add a rule for  icmp-type
30 to my firewall script so that it doesnt drop those packets.

Thanks,

Bharath

* Scott Edwards (msedwardsus@...) wrote:

>
> --- Ernest ter Kuile <ernestjw@...> wrote:
>
> >
> > I haven't checked your rules, but if you have a
> > modem/router (dsl or  
> > other), is configured to allow all icmp ? (just to
> > be sure of course)
> >
> > Ernest
>
> Also, you may want to verify that your kernel is
> allowing icmp packets:
>
> root@satellite:/proc/sys/net/ipv4# cat
> icmp_echo_ignore_all
>
> If you see the number 1, icmp packets (i.e., ping)
> will be ignored. You can change it with this command:
>
> root@satellite:/proc/sys/net/ipv4# echo "0" >
> icmp_echo_ignore_all
>
>
> -- Scott
>
>
>
>
>
> >
> >
> > On 13 Jun, 2008, at 21:29, Bharath Ramesh wrote:
> >
> > > I have a debian amd64 box. I am writing a set of
> > firewall rules. I  
> > > want
> > > to be able to ping my machine from outside. I
> > wrote the following  
> > > rule.
> > > I am still unable to ping my machine from outside.
> > Could someone  
> > > verify
> > > that my rule is correct.
> > >
> > > # Allow to/be ping(ed).
> > > $IPT --append INPUT --in-interface $EXTIF
> > --protocol icmp --icmp-
> > > type 0 \
> > >      --destination $EXTIP --match state --state  
> > > NEW,ESTABLISHED,RELATED \
> > >      --jump ACCEPT
> > > $IPT --append INPUT --in-interface $EXTIF
> > --protocol icmp --icmp-
> > > type 8 \
> > > --destination $EXTIP --match state --state
> > NEW,ESTABLISHED,RELATED \
> > > --jump ACCEPT
> > > $IPT --append OUTPUT --out-interface $EXTIF
> > --protocol icmp --icmp-
> > > type 0 \
> > > --source $EXTIP --match state --state
> > NEW,ESTABLISHED,RELATED \
> > > --jump ACCEPT
> > > $IPT --append OUTPUT --out-interface $EXTIF
> > --protocol icmp --icmp-
> > > type 8 \
> > > --source $EXTIP --match state --state
> > NEW,ESTABLISHED,RELATED \
> > > --jump ACCEPT
> > >
> > > I am able to ping other m/c from my m/c but I am
> > not able to ping from
> > > outside.
> > >
> > > Thanks,
> > >
> > > Bharath
> > >
> > > ---
> > > Bharath Ramesh       <bramesh@...>      
> > http://people.cs.vt.edu/~bramesh
> > >
> > >
> > > --
> > > To UNSUBSCRIBE, email to
> > debian-amd64-REQUEST@...
> > > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@...
> > >
> >
> >
> > --
> > To UNSUBSCRIBE, email to
> > debian-amd64-REQUEST@...
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@...
> >
> >
>
>
>
>      
>
>
> --
> To UNSUBSCRIBE, email to debian-amd64-REQUEST@...
> with a subject of "unsubscribe". Trouble? Contact listmaster@...

---
Bharath Ramesh       <bramesh@...>       http://people.cs.vt.edu/~bramesh


--
To UNSUBSCRIBE, email to debian-amd64-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...


Re: IPTables allow ping.

by vitko-2 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Bharath Ramesh píše v Pá 13. 06. 2008 v 21:29 +0200:

> $IPT --append INPUT --in-interface $EXTIF --protocol icmp --icmp-type 0 \
>       --destination $EXTIP --match state --state NEW,ESTABLISHED,RELATED \
>       --jump ACCEPT

A side note: I wonder how much use is "--match state" in ICMP context.
(Well, I can't see any icmp entries in /proc/net/ip_conntrack anyway).
You might want to consult debian-firewall list.

Vit


--
To UNSUBSCRIBE, email to debian-amd64-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...


Re: IPTables allow ping.

by Alex Samad :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Sat, Jun 14, 2008 at 08:58:19AM +0200, Vitezslav Kotrla wrote:
> Bharath Ramesh píše v Pá 13. 06. 2008 v 21:29 +0200:
>
> > $IPT --append INPUT --in-interface $EXTIF --protocol icmp --icmp-type 0 \
> >       --destination $EXTIP --match state --state NEW,ESTABLISHED,RELATED \
> >       --jump ACCEPT
>
> A side note: I wonder how much use is "--match state" in ICMP context.
> (Well, I can't see any icmp entries in /proc/net/ip_conntrack anyway).
> You might want to consult debian-firewall list.

ICMP could be related to different tcp / udp streams for example you
might allow in ftp via the firewall, but not have a ftpd server running.
So the icmp that is generated from a failed attemped is related to the
original tcp stream.

the op should probably have 1 line at the top of the chaine for
ESTABLISHED,RELATED to cover all the est/related packets

>
> Vit
>
>
> --
> To UNSUBSCRIBE, email to debian-amd64-REQUEST@...
> with a subject of "unsubscribe". Trouble? Contact listmaster@...
>
>

--
"You see, not only did the attacks help accelerate a recession, the attacks reminded us that we are at war."

        - George W. Bush
06/08/2005
Washington, DC


signature.asc (196 bytes) Download Attachment
Free Forum Powered by Nabble Forum Help