ICMP Problems with ipchains-fw

I am attempting to run a firewall(ipchains) that blocks all incoming ICMP packets from foreign IP's, but I want to allow all packets that originate from behind my firewall back into the system where they originated from.  So if I wanted to ping lets say www.yahoo.com I would be able to get a ping reply packet back, but if someone at www.yahoo.com attempted to ping me they wouldn't get a reply packet back.  Currently I have the following rules added.

ipchains -A input -p icmp -s -j DENY  <-this rule blocks all ICMP, and I mean all ICMP packets.  Incoming & outgoing.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The problem is that a ping reply doesn't originate from your network, which is why it's being blocked. What you want to do is set up rules in the following order (and the order is important):

1. Allow all ICMP traffic from IPs you trust (like your local LAN). This is only necessary if you want to be able to ping the box from your network.

2. Allow ICMP replies from anywhere. This allows replies to come in.

3. Deny all ICMP traffic. This blocks any other ICMP traffic. Because the rules are applied in order, local ICMP traffic and ICMP replies will have already been let through.

An ICMP reply is type 0 (echo-reply). You will probably also want to allow type 3 (destination-unreachable), 5 (redirect), and 11 (time-exceeded).
Ooops, just did some double-checking and found out that you might want to disable redirects after all as they can be used to manipulate your routing (although any decent stack will have safeguards for this).
jamesgAuthor Commented:
I understand the theory of what to do with the ICMP packet's.  I dont know how to apply it to IPCHAINS itself, thats what I really need help with.

Thanx for the help thogh.
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

ipchains -A input -p icmp -i ext_if_device_name -s 8 -j DENY  

The 8 (ICMP echo request type number) is all you needed for fully specifying the source portion of an undesirable packet.  You need the -i ext_if_device_name (e.g. eth1) or your internal hosts will be excluded also.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I used http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html and http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html and http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO-3.htmlto learn how to setup my firewall.  It even told me how to setup IPCHAINS for a DHCP IP.

Q:  Do you have to NICs in you linux box?  If so, can you ping you're local network (say Can you ping the internet from your Linux box?

If all this is working you can use:
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s -j MASQ

This will Masq an out going ICMP packets to look like their originating from the firewalls IP address.
Just change the IP to match your internal network.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.