Another update to myself and others that may want this information: This update concerns traceroute. If I added the following rules I can now traceroute to anywhere, but traceroutes to me fail:
$IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $IPT -A INPUT -p icmp --icmp-type port-unreachable -j ACCEPT Again, the same question goes out to those of you more familiar with iptables, did I mistakenly leave myself open here? Bill On Sun, Oct 01, 2000 at 04:04:36PM -0500, William Jensen wrote: > An update to myself...in case others are having this problem: > > I added the following rule to my script: > > $IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT > > My understanding is now the box will accpet 'echo replies' that I would > generate > by 'ping debian.org'. I then went to another pc on the net and tried to ping > my own box and it still just drops the packets. (which I want) Can anyone see > anything wrong with what I've done? > > > On Sun, Oct 01, 2000 at 01:47:48PM -0500, William Jensen wrote: > > I think it's my firewall blocking them going _out_ because when I take the > > firewall offline both ping and traceroute work fine. Ping works on > > localhost, > > though traceroute does not when the firewall is up. Unfortunetly I am too > > new > > at both debian and firewalling to know where I went wrong. I'm trying to > > set > > it up so I can ping and traceroute to other boxes but other 'bad' boxes > > can't > > do it to me. What information can I follow this msg up with that will be > > helpful? > > > > I call the firewall from /etc/rc2.d/S90firewall_up which is just a sym link > > to > > /etc/init.d/firewall_up. > > > > On a side note, when I added the logging line: > > > > $IPT -A Firewall -j LOG --log-level info --log-prefix "Firewall:" > > > > It produces a TON of the following as fast as it can put them in the log > > file. > > How do I read this and even more importantly how can I make it log the > > "rejects" > > properly so that I can actually catch people trying to scan the box etc. > > > > Oct 1 13:28:11 stimpy kernel: Firewall:IN=eth0 OUT= > > MAC=ff:ff:ff:ff:ff:ff:00:20:78:cb:ce:05:08:00 SRC=0.0.0.0 > > DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=2 PROTO=UDP SPT=68 > > DPT=67 LEN=556 > > > > If it would help I can attach the actual firewall script.
