-
March 6th, 2003, 05:08 PM
#1
Junior Member
My ICMP Chain for IPTABLES
Got this from a friend some time ago ... works wonders!
IPT="/sbin/iptables"
$IPT -N ICMP
$IPT -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type network-unreachable -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type host-unreachable -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type protocol-unreachable -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type port-unreachable -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type fragmentation-needed -j DROP
$IPT -A ICMP -p icmp --icmp-type source-route-failed -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type network-unknown -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type host-unknown -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type network-prohibited -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type host-prohibited -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type TOS-network-unreachable -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type communication-prohibited -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type host-precedence-violation -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type precedence-cutoff -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type source-quench -j DROP
$IPT -A ICMP -p icmp --icmp-type redirect -j DROP
$IPT -A ICMP -p icmp --icmp-type network-redirect -j DROP
$IPT -A ICMP -p icmp --icmp-type host-redirect -j DROP
$IPT -A ICMP -p icmp --icmp-type TOS-network-redirect -j DROP
$IPT -A ICMP -p icmp --icmp-type TOS-host-redirect -j DROP
$IPT -A ICMP -p icmp --icmp-type echo-request -j DROP
$IPT -A ICMP -p icmp --icmp-type router-advertisement -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type router-solicitation -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type ttl-zero-during-transit -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type ttl-zero-during-reassembly -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type ip-header-bad -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type required-option-missing -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type timestamp-request -j DROP
$IPT -A ICMP -p icmp --icmp-type timestamp-reply -j ACCEPT
$IPT -A ICMP -p icmp --icmp-type address-mask-request -j DROP
$IPT -A ICMP -p icmp --icmp-type address-mask-reply -j ACCEPT
$IPT -A ICMP -p icmp -j DROP
-
March 6th, 2003, 05:22 PM
#2
wow, that accepts alot of stuff that i wouldn't want my system to see or possibly respond to..
i've been living with..
$TABLES -A INPUT -p icmp -i $OUT_IF -j DROP
$TABLES -I INPUT -p icmp -i $OUT_IF --icmp-type 0 -j ACCEPT
$TABLES -I INPUT -p icmp -i $OUT_IF --icmp-type 3 -j ACCEPT
$TABLES -I INPUT -p icmp -i $OUT_IF --icmp-type 11 -j ACCEPT
$TABLES -I INPUT -p icmp -m state --state INVALID -j DROP
and havn't had an issue yet.
-
March 6th, 2003, 05:29 PM
#3
Junior Member
It's all preference!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|