iptables – Handling ICMP and RELATED Packets

icmpiptables

I am using the following simple iptables rule that accepts related packets:

-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

I am letting ICMP echo-requests pass with this other rule:

-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

Should I explicitly add anything to receive "useful" ICMP messages like destination-unreachable, time-exceeded and parameter-problem, or the RELATED clause will already accept them?

Best Answer

http://www.linuxtopia.org/Linux_Firewall_iptables/x1571.html

Another hugely important part of ICMP is the fact that it is used to tell the hosts what happened to specific UDP and TCP connections or connection attempts. For this simple reason, ICMP replies will very often be recognized as RELATED to original connections or connection attempts. A simple example would be the ICMP Host unreachable or ICMP Network unreachable. These should always be spawned back to our host if it attempts an unsuccessful connection to some other host, but the network or host in question could be down, and hence the last router trying to reach the site in question will reply with an ICMP message telling us about it. In this case, the ICMP reply is considered as a RELATED packet

Related Solutions

Linux – iptables port forward forwarding

You're sending the traffic to 10.52.208.221. Given the config you posted, your problem is the webserver, not the firewall. Your rules look to be correct. FORWARD and INPUT are redirected to RH-Firewall-1-INPUT where your first rule is to allow all traffic. As somebody else pointed out, you could be allowing all traffic on eth1, while the world is actually coming in eth0. Secondary, you have to NAT the traffic as it goes back out to the world

iptables --table nat --append POSTROUTING --proto tcp --dport 80 --jump MASQUERADE -o OUT_INTERFACE

Your traffic originating from the router will never hit the input or forward chains, but instead traverse the output chain on to the webserver. Other systems in that subnet will similarly go directly to the webserver. Systems out on the world at large however will traverse the INPUT / FORWARD chains and need SNAT as well as DNAT so that it appears to the world to be one machine. You still cannot test from within your network. you must test from the opposite interface from the webserver. Get me your IP addresses and I'll point you to the proper configs.

Iptables allow http incoming connections, state NEW, ESTABLISHED

The former rule employs connection tracking, the latter does not. The connection tracking entries are needed for the reply packets to get through. When the connection tracking system allows a packet in that establishes a connection or logical association, an automatic, temporary reflexive rule is created to allow the reply packets out.

Best Answer

Related Solutions

Linux – iptables port forward forwarding

Iptables allow http incoming connections, state NEW, ESTABLISHED

Related Topic