Reject icmp packet thru iptables
Michael Schwendt
fedora at wir-sind-cool.org
Mon Feb 21 07:50:43 UTC 2005
On Sun, 20 Feb 2005 20:35:59 -0800 (PST), Shiraz Baig wrote:
> Sir,
> I am trying to see the working of iptables. I read the
> relevantHOWTOs and tried an experiment to get an icmp
> packet rejected. This experiment is from one of the
> HOWTOs. But my experiment has not succeeded.
>
> Could someone tell me why my ICMP packet was not
> rejected in spite of the fact that rules show that it
> should be rejected.
> Step 2:
> I checked the rules to make sure the above fact.
> #iptables -L
> I got the response:
> --------- response ----------
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> RH-Lokkit-0-50-INPUT all -- anywhere
> anywhere
> ................ remaining skipped ............
You skipped all but the relevant line:
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
List your rules again, this time with the "iptables-save" command.
For most iptables users it is much more readable. Notice how the
INPUT chain jumps into the user-defined RH-Lokkit-0-50-INPUT chain
where all packets on loopback device are accepted.
> Step 3:
> Now I gave a command to deny the icmp proto packets.
> # iptables -A INPUT -s 127.0.0.1 -p icmp -j REJECT
Use -I, not -A, so this rule is _inserted_ at the beginning of the
INPUT chain.
More information about the redhat-list
mailing list