On Friday 31 May 2002 2:05 am, Claudio Mio wrote:
> # ICMP from INET
> iptables -N icmp_pkt
> iptables -A icmp_pkt -p icmp -m state --state NEW -j DROP
> iptables -A icmp_pkt -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
You are DROPping NEW ICMP packets. You are only calling this chain (see
below) after ACCEPTing packets coming in from the LAN interface, however, so
that explains why internal machines can ping in to the firewall.
> # INPUT
> iptables -P INPUT DROP
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -i ${LAN_IF} -j ACCEPT
> iptables -A INPUT -p icmp -j icmp_pkt
> iptables -A INPUT -p udp -j udp_pkt
> iptables -A INPUT -p tcp -j tcp_pkt
> iptables -A INPUT -j log_drop
I do not see anything here which indicates why you should be able to ping
through the external interface ppp0 but not through the internal interface
eth0.
Please can you confirm that with the ruleset as it now is:
1. you can ping to the firewall from an internal client
2. you cannot ping that internal client from the firewall
3. you can ping to an external machine from the firewall ?
Antony.
