Re: Writing firewall rules with iptables

bzaman.laskar@xxxxxxxxx wrote:
Hi All,

I am writing firewell rules using iptables to allow icmp traffic
from 211.xxx.117.211 to
211.41.125.4 and vice versa . For this I have written rule 2 and
3. But after writing the rule
I cannot ping from either ends. But if I stop the firewall , it
pings . That means the network
is O.K but there is some problem with the rules that I have
written .

Please tell me how to write the rule correctly.

[root@localhost ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT icmp -- 211.xxx.117.211 211.41.125.4
ACCEPT icmp -- 211.41.125.4 211.xxx.117.211
ACCEPT icmp -- 211.xxx.117.0/24 211.xxx.117.211
ACCEPT tcp -- 211.xxx.117.0/28 211.xxx.117.211 tcp dpt:
22
ACCEPT udp -- 211.xxx.117.211 211.41.99.3 udp dpt:
53
ACCEPT udp -- 211.41.99.3 211.xxx.117.211 udp spt:
53
ACCEPT tcp -- 211.xxx.117.211 0.0.0.0/0 tcp dpt:
80
ACCEPT tcp -- 0.0.0.0/0 211.xxx.117.211 tcp spt:
80
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-
with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination

The INPUT rules tell the firewall to accept ICMP packets for 211.xxx.117.211 and 211.41.125.4. Unless the firewall machine is at both of those addresses that's not what you want. By the sounds of it, you want to FORWARD those packets---you want your firewall to pass the packets between the two hosts/networks. Move your rules from the INPUT to the FORWARD chains.

Remember that the iptables ACCEPT chain is used to accept/reject packets destined for the machine running iptables. The FORWARD chain is used to control the passing of packets from one network to another.

BTW, you might want to re-think the default policy of accepting everything on those chains, too! As it is now, your firewall will FORWARD anything.
.

Relevant Pages

  • Re: How to create a complex rule with system-config-securitylevel?
    ... Red Hat's old Lokkit firewall tool from RHL 8.0. ... And then use iptables directly ... Chain INPUT ... use a more complex firewall configuration tool. ...
    (Fedora)
  • Re: Understanding iptables FC4
    ... I ran iptables -L and got teh following: ... Chain FORWARD ... I have turned that firewall off. ... Fedora also comes with SELinux, ...
    (alt.os.linux)
  • Re: Question about iptables in edgy
    ... does the iptables file configure the chains ... I don't really need a firewall, and lokkit is not the ... Here's the chain created when I ran the application "Lokkit" which I ...
    (Ubuntu)
  • Re: Configure iptables to not log certain hits
    ... if you want to block icmp (ping) [this one blocks ALL icmp, ... Required if your firewall is protecting a network, ... $IPTABLES -X # delete all user-defined chains ...
    (comp.os.linux.security)
  • Re: firewall using iptables DHCP IP may change?
    ... >>I am trying to set up a firewall using iptables. ... >>My internet connection is via adsl, and the IP is dynamic. ... as well as with various inbound ICMP packets. ...
    (comp.os.linux.networking)