On Mon, 16 Jul 2001, William Jensen wrote: > I've setup a fairly restrictive set of rules for iptables and have been, > up to this point, extremely satisfied with its performance. However, > I've recently started having some signifiant issues with my cable modem > provider and they routinely want to ping and traceroute to my machine. > This requires me to take down my firewall and wait for them to finish, > then put it back up. I'd like to make, as part of my rule set, ping and > traceroute able to get through. So far I've done this for my input chain > for ping > > -A INPUT -p icmp -j ACCEPT > Hi,
I have a pretty good firewall script, they use these rules for ping request: # icmp types # 0 = echo reply needed by ping # 3 = destination-unreachable needed by any TCP/UDP traffic # 5 = redirect needed by routing if not runnting routing daemon # 8 = echo-request needed by ping # 11 = time-exceeded needed by traceroute # # This wil also protect you against the ping-of-death iptables -A INPUT -i $extif -p -icmp --icmp-type 0 -s any/0 -d $extip -m limit --limit 1/s -j ACCEPT iptables -A INPUT -i $extif -p -icmp --icmp-type 3 -s any/0 -d $extip -m limit --limit 1/s -j ACCEPT iptables -A INPUT -i $extif -p -icmp --icmp-type 8 -s any/0 -d $extip -m limit --limit 1/s -j ACCEPT iptables -A INPUT -i $extif -p -icmp --icmp-type 11 -s any/0 -d $extip -m limit --limit 1/s -j ACCEPT iptables -A OUTPUT -o $extif -p -icmp --icmp-type 3 -s $extip -d any/0 -m limit --limit 1/s -j ACCEPT iptables -A OUTPUT -o $extif -p -icmp --icmp-type 8 -s $extip -d any/0 -m limit --limit 1/s -j ACCEPT iptables -A OUTPUT -o $extif -p -icmp --icmp-type 0 -s $extip -d any/0 -m limit --limit 1/s -j ACCEPT iptables -A OUTPUT -o $extif -p -icmp --icmp-type 11 -s $extip -d any/0 -m limit --limit 1/s -j ACCEPT # Accept redirect icmp packets iptables -A INPUT -i $extif -p -icmp --icmp-type 5 -s any/0 -d $extip -m limit --limit 1/s -j ACCEPT Hope this helps. Greetz, Sebastiaan
