Packets dropped by iptables
Juan L. Pastor
seguridadlinux at yahoo.es
Wed Oct 13 07:47:35 UTC 2004
On Wed, 2004-10-13 at 08:41, Ow Mun Heng wrote:
> > > > -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> > >
> > > You drop all other ICMP types other than echo (=8). That is bad. ICMP is
> > > an important protocol and blocking specific types will break things! If
> > > you don't know for sure why you block a specific ICMP type then just
> > > don't. You gain no security.
> >
> > So I guess I should change this line with:
> >
> > -A INPUT -p icmp -j ACCEPT
> >
> > Is this OK?
>
> Actually I would prefer that ICMP Type 8 is dis-allowed only.
So the right rules should be:
- A INPUT -p icmp -m icmp --icmp-type 8 -j LOGDROP
- A INPUT -p icmp -j ACCEPT
> > If this are ACK packets, I assume that they are response to a previously
> > established communication. How can I let this packets come into my
>
> Based on the logs, yes they would seem to be ACK packets, but look at
> the DST, these are supposed to be NON-routeable addresses 192.168.x.x,
> which I think _should_ be rejected.
>
> Unless you are running NAT and you're doing DNAT. (?) are you?
My linux box (192.168.1.2) is connected through an ADSL router
(192.168.1.1, internal IP) so I guess it is OK to let them come into my
box. How can I manage that?
Juan
--
Please avoid sending me Word or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html
More information about the fedora-list
mailing list