This is really weird.....
I just added the following rules to my ruleset:
iptables -A INPUT -p icmp -i ${LAN_IF} -j LOG
iptables -A OUTPUT -p icmp -o ${LAN_IF} -j LOG
Only the output rule was firing when I tried to ping my internal machine.
So I installed ZoneAlarm on my internal PC to see if the pings were getting
there. And they were.
So next I shutdown ZoneAlarm and tried again to ping the internal machine
from my firewall. And now both rules were firing.
I removed the log statements and everything is working!
What is going on?
I used to have zonealarm running on the internal box but have not had it
enabled for months now. Hmmmm.
Well anyway I think it is now sorted! Ive been trying to sort this problem
for weeks!!
Thanks for your help Antony!
----- Original Message -----
From: "Claudio Mio" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 30, 2002 6:37 PM
Subject: Re: sendto: Operation not permitted
>
> ----- Original Message -----
> From: "Antony Stone" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, May 30, 2002 10:23 AM
> Subject: Re: sendto: Operation not permitted
>
>
> > On Friday 31 May 2002 2:05 am, Claudio Mio wrote:
> >
> > > # ICMP from INET
> > > iptables -N icmp_pkt
> > > iptables -A icmp_pkt -p icmp -m state --state NEW -j DROP
> > > iptables -A icmp_pkt -p icmp -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> >
> > You are DROPping NEW ICMP packets. You are only calling this chain
(see
> > below) after ACCEPTing packets coming in from the LAN interface,
however,
> so
> > that explains why internal machines can ping in to the firewall.
>
> That right. The icmp_pkt chain is only dealing with packets from the
> internet.
>
> > > # INPUT
> > > iptables -P INPUT DROP
> > > iptables -A INPUT -i lo -j ACCEPT
> > > iptables -A INPUT -i ${LAN_IF} -j ACCEPT
> > > iptables -A INPUT -p icmp -j icmp_pkt
> > > iptables -A INPUT -p udp -j udp_pkt
> > > iptables -A INPUT -p tcp -j tcp_pkt
> > > iptables -A INPUT -j log_drop
> >
> > I do not see anything here which indicates why you should be able to
ping
> > through the external interface ppp0 but not through the internal
interface
> > eth0.
>
> I know. Im confused. The way I see it the following rule should allow
> replies to my pings on the external interface.
> iptables -A icmp_pkt -p icmp -m state --state ESTABLISHED,RELATED -j
ACCEPT
>
> And the following rule should allow replies to my pings on the internal
> interface.
> iptables -A INPUT -i ${LAN_IF} -j ACCEPT
>
> > Please can you confirm that with the ruleset as it now is:
> >
> > 1. you can ping to the firewall from an internal client
> > 2. you cannot ping that internal client from the firewall
> > 3. you can ping to an external machine from the firewall ?
>
> I can confirm I am currently running this ruleset. I can also confirm 1, 2
> and 3 above. As well as that I can ping internet machines from machines on
> my internal lan.
>
> Claude.
>
>
