My question is related to multicasts and iptables
.
I want to allow ICMP and IGMP multicasts from the local VLAN 192.168.1.0/24
as well as from 0.0.0.0
on my CentOS machine, so I added the following rules to my inbound chain:
# ACCEPT - Multicast 224.0.0.1 from current VLAN as well as 0.0.0.0 # -- ICMP iptables -A IP-INPUT -s 192.168.1.0/24 -d 224.0.0.1 -m pkttype --pkt-type multicast --protocol icmp -j ACCEPT iptables -A IP-INPUT -s 0.0.0.0 -d 224.0.0.1 -m pkttype --pkt-type multicast --protocol icmp -j ACCEPT # -- IGMP iptables -A IP-INPUT -s 192.168.1.0/24 -d 224.0.0.1 -m pkttype --pkt-type multicast --protocol igmp -j ACCEPT iptables -A IP-INPUT -s 0.0.0.0 -d 224.0.0.1 -m pkttype --pkt-type multicast --protocol igmp -j ACCEPT
I also ensured that the xt_pkttype
kernel module is loaded.
But that does not seem to work … I'm getting denies:
Oct 12 09:06:22 192.168.1.102 IPTABLES: :: IN::DENY 2 0.0.0.0 ==> 224.0.0.1
I noticed that the deny line shows the protocol number (2
) instead of its name (IGMP
), but that does not seem to matter. If I replace --protocol igmp
in the rules with --protocol 2
it's the same.
After some googling I also noticed some people do it this way, but it also does not work for me:
# ACCEPT - Multicast 224.0.0.1 from current VLAN as well as 0.0.0.0 iptables -A IP-INPUT -s 192.168.1.0/24 -d 224.0.0.1 -j ACCEPT iptables -A IP-INPUT -s 0.0.0.0 -d 224.0.0.1 -j ACCEPT
If relevant, I use iptables
version 1.4.7
on CentOS 6.3
with kernel version 2.6.32-279.19.1.el6.x86_64
.
Can anybody help me? Thanks in advance!
Edit:
- The requested content of
/etc/sysconfig/iptables
(see below) - Changes to the rules suggested by Michael Hampton
# Generated by iptables-save v1.4.7 on Wed Jan 16 14:33:55 2013 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :IP-FORWARD - [0:0] :IP-INPUT - [0:0] :IP-OUTPUT - [0:0] -A INPUT -j IP-INPUT -A FORWARD -j IP-FORWARD -A OUTPUT -j IP-OUTPUT -A IP-FORWARD -j LOG --log-prefix "server-FORWARD: " -A IP-FORWARD -j DROP -A IP-INPUT -i lo -m comment --comment "ACCEPT all packets ON LOOPBACK" -j ACCEPT -A IP-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A IP-INPUT -s 192.168.1.0/24 -d 224.0.0.1/32 -p icmp -m pkttype --pkt-type multicast -j ACCEPT -A IP-INPUT -d 224.0.0.1/32 -p icmp -m pkttype --pkt-type multicast -j ACCEPT -A IP-INPUT -s 192.168.1.0/24 -d 224.0.0.1/32 -p igmp -m pkttype --pkt-type multicast -j ACCEPT -A IP-INPUT -d 224.0.0.1/32 -p igmp -m pkttype --pkt-type multicast -j ACCEPT -A IP-INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -A IP-INPUT -p icmp -f -m comment --comment "DROP fragmented icmp" -j DROP -A IP-INPUT -p icmp -m comment --comment "ACCEPT incoming icmp" -j ACCEPT -A IP-INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m comment --comment "DROP packets with illegal flags" -j DROP -A IP-INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A IP-INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A IP-INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP -A IP-INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP -A IP-INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP -A IP-INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP -A IP-INPUT -m state --state INVALID -j LOG -A IP-INPUT -m state --state INVALID -j DROP -A IP-INPUT -j LOG --log-prefix "server-INPUT: " -A IP-OUTPUT -m state --state INVALID -j LOG --log-prefix "server-OUTPUT: " -A IP-OUTPUT -m state --state INVALID -j DROP -A IP-OUTPUT -o lo -m comment --comment "ACCEPT all packets ON LOOPBACK" -j ACCEPT -A IP-OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A IP-OUTPUT -p icmp -f -m comment --comment "DROP fragmented icmp" -j DROP -A IP-OUTPUT -p icmp -m comment --comment "ACCEPT outgoing icmp" -j ACCEPT -A IP-OUTPUT -j LOG --log-prefix "server-OUTPUT: " COMMIT # Completed on Wed Jan 16 14:33:55 2013
Best Answer
You added your rules AFTER the rules which LOG and DROP your traffic. Those rules should be the last rules in the table. Just rearrange the lines so that they appear last.