ICMP Problems with ipchains-fw

I am attempting to run a firewall(ipchains) that blocks all incoming ICMP packets from foreign IP's, but I want to allow all packets that originate from behind my firewall back into the system where they originated from.  So if I wanted to ping lets say www.yahoo.com I would be able to get a ping reply packet back, but if someone at www.yahoo.com attempted to ping me they wouldn't get a reply packet back.  Currently I have the following rules added.

ipchains -A input -p icmp -s 0.0.0.0/0 -j DENY  <-this rule blocks all ICMP, and I mean all ICMP packets.  Incoming & outgoing.
jamesgAsked:
Who is Participating?
 
RobWMartinConnect With a Mentor Commented:
ipchains -A input -p icmp -i ext_if_device_name -s 0.0.0.0/0 8 -j DENY  

The 8 (ICMP echo request type number) is all you needed for fully specifying the source portion of an undesirable packet.  You need the -i ext_if_device_name (e.g. eth1) or your internal hosts will be excluded also.
0
 
frugalCommented:
The problem is that a ping reply doesn't originate from your network, which is why it's being blocked. What you want to do is set up rules in the following order (and the order is important):

1. Allow all ICMP traffic from IPs you trust (like your local LAN). This is only necessary if you want to be able to ping the box from your network.

2. Allow ICMP replies from anywhere. This allows replies to come in.

3. Deny all ICMP traffic. This blocks any other ICMP traffic. Because the rules are applied in order, local ICMP traffic and ICMP replies will have already been let through.

An ICMP reply is type 0 (echo-reply). You will probably also want to allow type 3 (destination-unreachable), 5 (redirect), and 11 (time-exceeded).
0
 
frugalCommented:
Ooops, just did some double-checking and found out that you might want to disable redirects after all as they can be used to manipulate your routing (although any decent stack will have safeguards for this).
0
2018 Annual Membership Survey

Here at Experts Exchange, we strive to give members the best experience. Help us improve the site by taking this survey today! (Bonus: Be entered to win a great tech prize for participating!)

 
jamesgAuthor Commented:
I understand the theory of what to do with the ICMP packet's.  I dont know how to apply it to IPCHAINS itself, thats what I really need help with.

Thanx for the help thogh.
0
 
trentpackCommented:
I used http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html and http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html and http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO-3.htmlto learn how to setup my firewall.  It even told me how to setup IPCHAINS for a DHCP IP.

Q:  Do you have to NICs in you linux box?  If so, can you ping you're local network (say 192.168.2.1)? Can you ping the internet from your Linux box?

If all this is working you can use:
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ

This will Masq an out going ICMP packets to look like their originating from the firewalls IP address.
0
 
trentpackCommented:
Just change the IP to match your internal network.
0
All Courses

From novice to tech pro — start learning today.