Results 1 to 3 of 3

Thread: My ICMP Chain for IPTABLES

  1. March 6th, 2003, 05:08 PM #1
    wrightmf
    wrightmf is offline
    Junior Member
    Join Date
    Mar 2003
    Posts
    10

    My ICMP Chain for IPTABLES

    Got this from a friend some time ago ... works wonders!


    IPT="/sbin/iptables"

    $IPT -N ICMP
    $IPT -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type network-unreachable -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type host-unreachable -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type protocol-unreachable -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type port-unreachable -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type fragmentation-needed -j DROP
    $IPT -A ICMP -p icmp --icmp-type source-route-failed -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type network-unknown -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type host-unknown -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type network-prohibited -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type host-prohibited -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type TOS-network-unreachable -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type communication-prohibited -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type host-precedence-violation -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type precedence-cutoff -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type source-quench -j DROP
    $IPT -A ICMP -p icmp --icmp-type redirect -j DROP
    $IPT -A ICMP -p icmp --icmp-type network-redirect -j DROP
    $IPT -A ICMP -p icmp --icmp-type host-redirect -j DROP
    $IPT -A ICMP -p icmp --icmp-type TOS-network-redirect -j DROP
    $IPT -A ICMP -p icmp --icmp-type TOS-host-redirect -j DROP
    $IPT -A ICMP -p icmp --icmp-type echo-request -j DROP
    $IPT -A ICMP -p icmp --icmp-type router-advertisement -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type router-solicitation -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type ttl-zero-during-transit -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type ttl-zero-during-reassembly -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type ip-header-bad -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type required-option-missing -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type timestamp-request -j DROP
    $IPT -A ICMP -p icmp --icmp-type timestamp-reply -j ACCEPT
    $IPT -A ICMP -p icmp --icmp-type address-mask-request -j DROP
    $IPT -A ICMP -p icmp --icmp-type address-mask-reply -j ACCEPT
    $IPT -A ICMP -p icmp -j DROP
    PGP Public Key
    Reply With Quote Reply With Quote
  2. March 6th, 2003, 05:22 PM #2
    g00n
    g00n is offline
    Senior Member
    Join Date
    Sep 2001
    Posts
    144
    wow, that accepts alot of stuff that i wouldn't want my system to see or possibly respond to..

    i've been living with..

    $TABLES -A INPUT -p icmp -i $OUT_IF -j DROP
    $TABLES -I INPUT -p icmp -i $OUT_IF --icmp-type 0 -j ACCEPT
    $TABLES -I INPUT -p icmp -i $OUT_IF --icmp-type 3 -j ACCEPT
    $TABLES -I INPUT -p icmp -i $OUT_IF --icmp-type 11 -j ACCEPT
    $TABLES -I INPUT -p icmp -m state --state INVALID -j DROP


    and havn't had an issue yet.
    Reply With Quote Reply With Quote
  3. March 6th, 2003, 05:29 PM #3
    wrightmf
    wrightmf is offline
    Junior Member
    Join Date
    Mar 2003
    Posts
    10
    It's all preference!
    PGP Public Key
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules