----- Original Message -----
From: "Antony Stone" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 30, 2002 10:23 AM
Subject: Re: sendto: Operation not permitted
> On Friday 31 May 2002 2:05 am, Claudio Mio wrote:
>
> > # ICMP from INET
> > iptables -N icmp_pkt
> > iptables -A icmp_pkt -p icmp -m state --state NEW -j DROP
> > iptables -A icmp_pkt -p icmp -m state --state ESTABLISHED,RELATED -j
ACCEPT
>
> You are DROPping NEW ICMP packets. You are only calling this chain (see
> below) after ACCEPTing packets coming in from the LAN interface, however,
so
> that explains why internal machines can ping in to the firewall.
That right. The icmp_pkt chain is only dealing with packets from the
internet.
> > # INPUT
> > iptables -P INPUT DROP
> > iptables -A INPUT -i lo -j ACCEPT
> > iptables -A INPUT -i ${LAN_IF} -j ACCEPT
> > iptables -A INPUT -p icmp -j icmp_pkt
> > iptables -A INPUT -p udp -j udp_pkt
> > iptables -A INPUT -p tcp -j tcp_pkt
> > iptables -A INPUT -j log_drop
>
> I do not see anything here which indicates why you should be able to ping
> through the external interface ppp0 but not through the internal interface
> eth0.
I know. Im confused. The way I see it the following rule should allow
replies to my pings on the external interface.
iptables -A icmp_pkt -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
And the following rule should allow replies to my pings on the internal
interface.
iptables -A INPUT -i ${LAN_IF} -j ACCEPT
> Please can you confirm that with the ruleset as it now is:
>
> 1. you can ping to the firewall from an internal client
> 2. you cannot ping that internal client from the firewall
> 3. you can ping to an external machine from the firewall ?
I can confirm I am currently running this ruleset. I can also confirm 1, 2
and 3 above. As well as that I can ping internet machines from machines on
my internal lan.
Claude.
