[Bug 77997] IPtables blocking unintentional ICMP

Lynyrd Thu, 04 Jan 2007 12:35:11 -0800

Public bug reported:

Binary package hint: iptables


Preinfo:
My testing environment running Ubuntu Dapper Drake Server (Linux test 
2.6.15-27-server #1 SMP Fri Dec 8 18:43:54 UTC 2006 i686 GNU/Linux).
The testing environment has multiple ip adresses (192.168.1.15-18) I dont know, 
if this is relevant for solving my problem.

My root server running Ubuntu Dapper Drake Server (Linux server 
2.6.15.7-ubuntu1 #4 Thu Dec 21 21:19:22 CET 2006 i686 GNU/Linux selfmade, 
iptables support completely included).
The root server als has multiple ip adresses (I will NOT post them here).

My Laptop running Ubuntu Egdy (Linux laptop 2.6.17-10-386 #2 Tue Dec 5
22:26:18 UTC 2006 i686 GNU/Linux).

all packages are up-to-date.

I added the following rule to iptables (testing environment):

iptables -A INPUT -d 192.168.1.16 -m state --state NEW -p tcp --dport 80
-j DROP

It should block all packages from everywhere to 192.168.1.16:80.
well it does, but if I run nmap (without any parameters) from laptop to 
192.168.1.16, nmap says 'host seems down'. (nmap with -P0 tells me, port 80 is 
successfully filtered.)
After "iptables -F" everythings running well again (nmap says host is online 
and port 80 is open)

I added the same rule to the iptables of my root server an got the same
result by scanning from laptop or testing environment to the root
server.

Then I added the same rule to my laptop's tables and it worked. nmap
told the host is online and port 80 is filtered.

I tried to allow all ICMP packages manually by adding

iptables -A INPUT -d 192.168.1.16 -p ICMP -j ACCEPT

but nothing happened.


iptables on all hosts got flushed before each test.

just a test:

cat /proc/sys/net/ipv4/icmp_echo_ignore_all 0


i built on my testing environment a new kernel from the 2.6.17 kernel sources 
with ubuntu patches, with full iptables support included, but the problem's 
still there.

all right, i locate the error. i replaced the iptables package with
edgy's one (added edgy to sources.list and did apt-get install iptables,
to update iptables and lib6c and some other packages, which have
dependencies to iptables 1.3.5)

affected: iptables 1.3.3-2ubuntu4, maybe <=iptables 1.3.3-2ubuntu4 (latest 
dapper release)
unaffected: >=iptables 1.3.5.0debian1-1ubuntu2 (latest edgy release)


after adding those edgy packages to the dapper system, the system got unstable, 
so this bug should be fixed in the dapper package.

** Affects: iptables (Ubuntu)
     Importance: Undecided
         Status: Unconfirmed

-- 
IPtables blocking unintentional ICMP
https://launchpad.net/bugs/77997

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 77997] IPtables blocking unintentional ICMP

Reply via email to