Linux – Problems with multicasts in “iptables”

centosfirewalliptableslinuxmulticast

My question is related to multicasts and iptables.

I want to allow ICMP and IGMP multicasts from the local VLAN 192.168.1.0/24 as well as from 0.0.0.0 on my CentOS machine, so I added the following rules to my inbound chain:

# ACCEPT - Multicast 224.0.0.1 from current VLAN as well as 0.0.0.0
# -- ICMP
iptables -A IP-INPUT -s 192.168.1.0/24 -d 224.0.0.1 -m pkttype --pkt-type multicast --protocol icmp -j ACCEPT
iptables -A IP-INPUT -s 0.0.0.0        -d 224.0.0.1 -m pkttype --pkt-type multicast --protocol icmp -j ACCEPT
# -- IGMP
iptables -A IP-INPUT -s 192.168.1.0/24 -d 224.0.0.1 -m pkttype --pkt-type multicast --protocol igmp -j ACCEPT
iptables -A IP-INPUT -s 0.0.0.0        -d 224.0.0.1 -m pkttype --pkt-type multicast --protocol igmp -j ACCEPT

I also ensured that the xt_pkttype kernel module is loaded.

But that does not seem to work … I'm getting denies:

Oct 12 09:06:22 192.168.1.102 IPTABLES: :: IN::DENY    2          0.0.0.0       ==>        224.0.0.1

I noticed that the deny line shows the protocol number (2) instead of its name (IGMP), but that does not seem to matter. If I replace --protocol igmp in the rules with --protocol 2 it's the same.

After some googling I also noticed some people do it this way, but it also does not work for me:

# ACCEPT - Multicast 224.0.0.1 from current VLAN as well as 0.0.0.0
iptables -A IP-INPUT -s 192.168.1.0/24 -d 224.0.0.1 -j ACCEPT
iptables -A IP-INPUT -s 0.0.0.0        -d 224.0.0.1 -j ACCEPT   

If relevant, I use iptables version 1.4.7 on CentOS 6.3 with kernel version 2.6.32-279.19.1.el6.x86_64.

Can anybody help me? Thanks in advance!

Edit:

  • The requested content of /etc/sysconfig/iptables (see below)
  • Changes to the rules suggested by Michael Hampton
# Generated by iptables-save v1.4.7 on Wed Jan 16 14:33:55 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:IP-FORWARD - [0:0]
:IP-INPUT - [0:0]
:IP-OUTPUT - [0:0]
-A INPUT -j IP-INPUT 
-A FORWARD -j IP-FORWARD 
-A OUTPUT -j IP-OUTPUT 
-A IP-FORWARD -j LOG --log-prefix "server-FORWARD: " 
-A IP-FORWARD -j DROP 
-A IP-INPUT -i lo -m comment --comment "ACCEPT all packets ON LOOPBACK" -j ACCEPT 
-A IP-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A IP-INPUT -s 192.168.1.0/24 -d 224.0.0.1/32 -p icmp -m pkttype --pkt-type multicast -j ACCEPT 
-A IP-INPUT -d 224.0.0.1/32 -p icmp -m pkttype --pkt-type multicast -j ACCEPT 
-A IP-INPUT -s 192.168.1.0/24 -d 224.0.0.1/32 -p igmp -m pkttype --pkt-type multicast -j ACCEPT 
-A IP-INPUT -d 224.0.0.1/32 -p igmp -m pkttype --pkt-type multicast -j ACCEPT
-A IP-INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A IP-INPUT -p icmp -f -m comment --comment "DROP fragmented icmp" -j DROP 
-A IP-INPUT -p icmp -m comment --comment "ACCEPT incoming icmp" -j ACCEPT 
-A IP-INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m comment --comment "DROP packets with illegal flags" -j DROP 
-A IP-INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 
-A IP-INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP 
-A IP-INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP 
-A IP-INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP 
-A IP-INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP 
-A IP-INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP 
-A IP-INPUT -m state --state INVALID -j LOG 
-A IP-INPUT -m state --state INVALID -j DROP 
-A IP-INPUT -j LOG --log-prefix "server-INPUT: " 
-A IP-OUTPUT -m state --state INVALID -j LOG --log-prefix "server-OUTPUT: " 
-A IP-OUTPUT -m state --state INVALID -j DROP 
-A IP-OUTPUT -o lo -m comment --comment "ACCEPT all packets ON LOOPBACK" -j ACCEPT 
-A IP-OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A IP-OUTPUT -p icmp -f -m comment --comment "DROP fragmented icmp" -j DROP 
-A IP-OUTPUT -p icmp -m comment --comment "ACCEPT outgoing icmp" -j ACCEPT 
-A IP-OUTPUT -j LOG --log-prefix "server-OUTPUT: " 
COMMIT
# Completed on Wed Jan 16 14:33:55 2013

Best Answer

You added your rules AFTER the rules which LOG and DROP your traffic. Those rules should be the last rules in the table. Just rearrange the lines so that they appear last.

Related Topic