Hi-ho, As per Michaels reply... Dropping all ICMP can cause problems, and certainly you should accept some ICMP to be polite..
If you're worried about ping floods, and other ICMP nasties.. Here's a bit from one of my firewall scripts that may help... Not sure if this is original or borrowed from somewhere. # ICMP jump point Put this somewhere in your mail firewall script... iptables -N my_icmp # my ICMP rules. iptables -A INPUT -p icmp -j my_icmp iptables -A OUTPUT -p icmp -j my_icmp iptables -A FORWARD -p icmp -j my_icmp # ICMP Traffic, put this bit after the end of everything... echo ICMP setup. iptables -A my_icmp -p icmp --icmp-type 0 -j ACCEPT iptables -A my_icmp -p icmp --icmp-type 8 -j ACCEPT iptables -A my_icmp -p icmp --icmp-type 3 -j ACCEPT iptables -A my_icmp -p icmp --icmp-type 30 -j ACCEPT iptables -A my_icmp -p icmp --icmp-type 11 -j ACCEPT iptables -A my_icmp -p icmp -m limit --limit 30/minute -j LOG --log-prefix "Firewall: ICMP " iptables -A my_icmp -j DROP This allows some ICMP through (Type 0,8,3,30,11 see below...) but only 30 packets a minute, so ping flooding wont be an issue.. In terms of the big slowdown, type 3 and 11 can cause that problem... The other thing is that your egress filtering (OUTPUT chain stuff) might be effecting it, are you running any rules on OUTPUT... You should be if you're running a live box, to prevent a breach of your machine creating a honeypot. ICMP types for the curious: You can see there are a few options... 0 Echo Reply 3 Destination Unreachable 4 Source Quench 5 Redirect 6 Alternate Host Address 8 Echo 9 Router Advertisement 10 Router Solicitation 11 Time Exceeded 12 Parameter Problem 13 Timestamp 14 Timestamp Reply 15 Information Request 16 Information Reply 17 Address Mask Request 18 Address Mask Reply 30 Traceroute 31 Datagram Conversion Error 32 Mobile Host Redirect 33 IPv6 Where-Are-You 34 IPv6 I-Am-Here 35 Mobile Registration Request 36 Mobile Registration Reply 37 Domain Name Request 38 Domain Name Reply 39 SKIP 40 Photuris ----- Original Message ----- From: > Hi CLUG, > > I added these iptables rules to my server/gateway but it makes traffic server go VERY slow eg. mail, POP3, SSH. When I removed them it went ok. The idea of the following rules is to allow incoming SMTP and HTTP server tarffic but block every other incoming connection. > > iptables -A INPUT -s 0/0 -p icmp -i eth0 -j DROP > iptables -A INPUT -s 0/0 -i eth0 -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -s 0/0 -i eth0 -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -s 0/0 -i eth0 -p tcp -j DROP > iptables -A INPUT -s 0/0 -i eth0 -p ! tcp -j DROP > > Please help. > > Thanks, > > Paul > >
