Linux – Iptables not allowing ICMP requests from remote machines

icmpiptableslinuxrouting

I've configured my linux router with the following iptables rules

iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i vmbr0 -o eth2 -j ACCEPT 
-A FORWARD -i vmbr0 -o eth1 -j ACCEPT 
-A FORWARD -i eth1 -o vmbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i eth2 -o vmbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT

eth1 and eth2 are wan interfaces. vmbr0 is my private network. Ping requests to eth2 ip address from a remote machine are being dropped and so are http requests.

How can I fix this?

Best Answer

It appears that every rule you have listed is an ACCEPT rule, including the defaults. From that, your configuration should not drop or deny any packet. I think your issue is elsewhere.

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Would it not be easier to switch off ssh forwarding on the ssh server? Just change AllowTcpForwarding from yes to no in your /etc/ssh/sshd_config. If this doesn't suit, you could try something along the lines of

iptables -A OUTPUT -o eth1 -p tcp --cmd-owner "sshd" -j DROP

Linux – Trying to make iptables stateless is causing unforeseen filtering

You have a rule which blocks all incoming traffic:

-A INPUT -j REJECT

And you stop connection tracking, so the rule to accept established connections' packets doesnt work anymore:

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

So your DNS packet goes out, is not tracked, and is then rejected by the first rule.

You need to enable tracking for the second rule to work, or add rules to allow incoming traffic from "good" sources.

Best Answer

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Linux – Trying to make iptables stateless is causing unforeseen filtering

Related Topic