Re: IPTABLES MASQUERADE - WAN is OK but no LAN traffic...

From: Grant <bugsplatter@xxxxxxxxx>
Date: Thu, 31 Aug 2006 10:11:43 +1000

On 30 Aug 2006 08:28:05 -0700, wisptech@xxxxxxxxx wrote:

Thank you everyone who input... I got it working... Had some bad
rules in the firewall...

iptables -A FORWARD -i Ethernet0 -m limit --limit 10/s \
--limit-burst 10 -p icmp --icmp-type echo-request -j ACCEPT

iptables -A FORWARD -o Ethernet0 -m limit --limit 5/s \
--limit-burst 30 -p icmp --icmp-type echo-request -j ACCEPT

iptables -A FORWARD -p icmp -j DROP

As soon as I commented these out, everything started working. Anybody
know why these would cause the traffic to stop completely when they are
just supposed to limit icmp echo-requests?

You don't drop or limit ICMPs -- they're a vital part of tcp/ip
networking. Also make sure the first rules for INPUT and FORWARD
are something like these:

MSTATE="--match state --state"
....
iptables -A INPUT -p all $MSTATE ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p all $MSTATE ESTABLISHED,RELATED -j ACCEPT

Apply rate limiting when starting NEW connections, not to the control
traffic, an example:

filter_traceroute_requests()
{
# traceroute
iptables -A INPUT -p udp --dport $TRPORT \
$MLIMIT 1/sec --limit-burst 10 \
-j $LOGGED "$PREFIX:inp:accept trace "
iptables -A INPUT -p udp --dport $TRPORT \
$MLIMIT 1/sec --limit-burst 10 -j ACCEPT
}

See also: <http://bugsplatter.mine.nu/junkview/iptables-save> for current
router firewall ruleset.

Grant.
--
http://bugsplatter.mine.nu/
.

References:
- IPTABLES MASQUERADE - WAN is OK but no LAN traffic...
  - From: wisptech
- Re: IPTABLES MASQUERADE - WAN is OK but no LAN traffic...
  - From: Robert
- Re: IPTABLES MASQUERADE - WAN is OK but no LAN traffic...
  - From: Pascal Hambourg
- Re: IPTABLES MASQUERADE - WAN is OK but no LAN traffic...
  - From: wisptech
- Re: IPTABLES MASQUERADE - WAN is OK but no LAN traffic...
  - From: wisptech

Prev by Date: Loopback issues
Next by Date: Re: Loopback issues
Previous by thread: Re: IPTABLES MASQUERADE - WAN is OK but no LAN traffic...
Next by thread: Failover router ?
Index(es):
- Date
- Thread

Relevant Pages

Re: Configure iptables to not log certain hits
... if you want to block icmp (ping) [this one blocks ALL icmp, ... Required if your firewall is protecting a network, ... $IPTABLES -X # delete all user-defined chains ...
(comp.os.linux.security)
Re: firewall using iptables DHCP IP may change?
... >>I am trying to set up a firewall using iptables. ... >>My internet connection is via adsl, and the IP is dynamic. ... as well as with various inbound ICMP packets. ...
(comp.os.linux.networking)
Re: blocking icmp protocol
... iptables -A INPUT -p icmp -j DROP ... filter is the default table so -t filter is not needed, ... drop all icmp from everywhere, which may not be what he wants. ... On Sun, 17 Dec 2006, Waleed Harbi wrote: ...
(RedHat)
Re: Iptables DNS problems
... > I'm having problem with my IP tables allowing DNS queries, ... > # Drop ICMP echo-request messages sent to broadcast or multicast ... > #$IPTABLES --policy OUTPUT DROP ...
(comp.os.linux.networking)
Re: IPTables Critique
... can you give a complete script for your iptables I'd like to ... >> # AIM Forwarding ... >> # Accept ICMP ... What do you mean by the unreachables, ...
(comp.security.firewalls)