Am Fre, 2002-05-31 um 04.02 schrieb Claudio Mio:
> I just added the following rules to my ruleset:
>
> iptables -A INPUT -p icmp -i ${LAN_IF} -j LOG
> iptables -A OUTPUT -p icmp -o ${LAN_IF} -j LOG
>
> Only the output rule was firing when I tried to ping my internal machine.
Now, your rule above tells exactly to do this:
iptables -A OUTPUT -p icmp -o ${LAN_IF} -j LOG
Log any packet leaving $LAN_IF with protocol 1 from
your local machine.
> So I installed ZoneAlarm on my internal PC to see if the pings were getting
> there. And they were.
This rule does not allow or disallow something, it simply logs the
packet. The action taken depends only on the default policy of the
OUTPUT chain. If you haven't set something else, this is ACCEPT.
This is why the packets reached your internal box.
> So next I shutdown ZoneAlarm and tried again to ping the internal machine
> from my firewall. And now both rules were firing.
Sure, you've sent an ICMP packet with an echo-request message to your
internal box and the box replied with echo-reply.
The first one was logged by the OUTPUT rule, the second by the INPUT
rule. Again, the above does not deny any packet, it only logs it.
> I removed the log statements and everything is working!
> What is going on?
You should read the iptables manual page! -j requires something like
DROP, ACCEPT or REJECT if you want to deny, accept, ...packets from/to
your box.
marcus
