Reject icmp packet thru iptables

Manuel Arostegui Ramirez manuel at todo-linux.com
Mon Feb 21 07:42:42 UTC 2005 

El Lunes 21 Febrero 2005 05:35, Shiraz Baig escribió:
> Sir,
> I am trying to see the working of iptables. I read the
> relevantHOWTOs and tried an experiment to get an icmp
> packet rejected. This experiment is from one of the
> HOWTOs. But my experiment has not succeeded.
>
> Could someone tell me why my ICMP packet was not
> rejected in spite of the fact that rules show that it
> should be rejected.
>
> Here is what I did.
>
> Step 1:
> I did the following to test that icmp protocol packets
> are allowed:
> 	#ping -c 1 127.0.0.1
>
> I got the response:
>
> --- 127.0.0.1 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss,
> time 0ms
> It showed icmp packets can go thru.
>
> Step 2:
> I checked the rules to make sure the above fact.
> 	#iptables -L
> I got the response:
> --------- response ----------
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> RH-Lokkit-0-50-INPUT  all  --  anywhere
> anywhere
> ................ remaining skipped ............
>
> Step 3:
> Now I gave a command to deny the icmp proto packets.
>   # iptables -A INPUT  -s 127.0.0.1 -p icmp  -j REJECT
>
> Step 4:
> Now I wanted to check that the icmp proto packets are
> not allowed.
> First I checked the rules.
>      #iptables -L
> I got the response:
> --------- response ---------------------
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> RH-Lokkit-0-50-INPUT  all  --  anywhere
> anywhere
> REJECT     icmp --  localhost.localdomain  anywhere
>        reject-with icmp-port-unreachable
>
> .................. remaining clipped .............
>
> Step 5:
> Now I gave the command ping to see that icmp packets
> are rejected.
>    # ping -c 1 127.0.0.1
>
> I got the response:
> --- 127.0.0.1 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss,
> time 0ms
>
> It showed that the packet was not rejected. It is
> stilll allowed to pass thru.
>
> Question
> My question is why this packet was not rejected. The
> ruleset shows that this packet should be rejected. But
> it has been accepted. Why?
> bye
> shiraz

You should put the --icmp-type, for example, if you want to reject the echo 
type, it's number eight this rule should work:

iptables -A INPUT -s 127.0.0.1 -p icmp --icmp-type 8 -j DROP

Cheers

-- 
Manuel Arostegui Ramirez #Linux Registered User 200896
Socio de Hispalinux 1813
Red Hat Linux 9, Kernel 2.6.2 ReiserFS
Firma  cifrada
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE+3O1MqfmPcHTj+twRAm
yDAJ9P6ezepIMg06vOet/YPKxVoB+Z/ACfWVhh
---END PGP SIGNATURE-----

More information about the redhat-list mailing list