Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: iptables - formatting icmp rules
Special Forums IP Networking iptables - formatting icmp rules Post 303017697 by CrazyDave on Sunday 20th of May 2018 09:04:31 PM
Old 05-20-2018
iptables - formatting icmp rules
Hi, I am relatively new to firewalls and netfilter. I have a Debian Stretch router box running dnsmasq, connected to a VPN. Occasionally dnsmasq polls all of the desired DNS servers to select the fastest. When it does this it responds to replies of the non-selected DNS servers with a icmp type three or "host unreachable". My firewall is very strict (I was hacked) and I am controlling sockets. I would like to respond to the DNS servers with this icmp message. I have tried many, many ways but none work, the message keeps on getting dropped. Here is an example rule set for one of the DNS servers:

Code:
# Owner: cryptostorm DNS in Langley in CA
-A OUTPUT -o tun0 -m state --state ESTABLISHED,NEW -p tcp --dport 53 -d 162.221.207.228 -j good_out_ips_accept
-A OUTPUT -o tun0 -m state --state ESTABLISHED,NEW -p udp --dport 53 -d 162.221.207.228 -j good_out_ips_accept
-A OUTPUT -m state --state ESTABLISHED,NEW -p icmp -m icmp --icmp-type 3 -d 162.221.207.228 -j good_out_ips_accept
-A OUTPUT -o tun0 -d 162.221.207.228 -j good_out_ips_drop

Here is the rule script:

Code:
-N good_out_ips_accept
-N good_out_ips_drop

-- many ips and ranges like above ----

-A good_out_ips_accept -j ACCEPT
-A good_out_ips_drop -j LOG  --log-level info --log-prefix "GOOD O/P IPs -- DROP :"
-A good_out_ips_drop -j DROP

Here is the resulting script from the firewall log:

Code:
May 20 16:24:21 gate kernel: [73690.667828] GOOD O/P IPs -- DROP :IN= OUT=tun0 SRC=10.7.7.88 DST=162.221.207.228 LEN=152 TOS=0x00 PREC=0xC0 TTL=64 ID=54071 PROTO=ICMP TYPE=3 CODE=3 [SRC=162.221.207.228 DST=10.7.7.88 LEN=124 TOS=0x00 PREC=0x00 TTL=57 ID=58899 DF PROTO=UDP SPT=53 DPT=50934 LEN=104 ]

To me the firewall is not seeing the icmp rule for some reason. Can anyone see the problem? Thanks for you help!

---------- Post updated at 06:04 PM ---------- Previous update was at 05:36 PM ----------

Well, I'm replying to my own post 10 minutes after writing it. All I needed was a "RELATED" on the state. I was hesitant to use this state as it seems to open a can of worms on some web sites...
 

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

SED inserting iptables rules in while loop

I'm trying to insert multiple new lines of text into an iptables script using sed in a while loop. I'm not sure if this is the most effective way. Searching the forums has helped me come up with a good beginning but it's not 100%. I'd like it to search out a unique line in my current iptables file... (2 Replies)
Discussion started by: verbalicious
2 Replies

2. IP Networking

Iptables rules at boot

Hi I have small home network and I want to block some forums on web When I use this iptables -A INPUT -s forum -j DROP rules is applied but when I restart some of PC rules are not present any more also I tried to save firewall settings iptables-save > /root/dsl.fw but how to... (2 Replies)
Discussion started by: solaris_user
2 Replies

3. Cybersecurity

Editing rules on iptables

Hello, I was playing around with iptables to setup an isolated system. On a SLES10 system, I ran the below to setup my first draft of rules. I noticed that the rules come into effect immediately and do not require any restart of iptables. iptables -A INPUT -j ACCEPT iptables -A OUTPUT -m... (4 Replies)
Discussion started by: garric
4 Replies

4. Ubuntu

iptables rules (ubuntu)

Could someone help me with writing rules for iptables? I need a dos attacks protection for a game server. port type udp ports 27015:27030 interface: eth0 Accept all packets from all IPs Chek if IP sent more than 50 packets per second Drop all packets from this IP for 5 minutes I would be... (0 Replies)
Discussion started by: Greenice
0 Replies

5. Red Hat

Iptables/Firewall rules for multicast IP.

Hi Gurus, I need to add Multicast Port = xyz Multicast Address = 123.134.143 ( example) to my firewall rules. Can you please guide me with the lines I need to update my iptables files with. (0 Replies)
Discussion started by: rama krishna
0 Replies

6. Red Hat

iptables Rules for my network

Hi Champs i am new in Iptables and trying to write rules for my Samba server.I took some help from internet, created one script and run from rc.local : #Allow loopback iptables -I INPUT -i lo -j ACCEPT # Accept packets from Trusted network iptables -A INPUT -s my-network/subnet -j... (0 Replies)
Discussion started by: Vaibhav.T
0 Replies

7. UNIX for Advanced & Expert Users

Editing iptables rules with custom chain

Hello, I have iptables service running on my CentOS5 server. It has approx 50 rules right now. The problem I am facing now is as follows - I have to define a new chain in the filter table, say DOS_RULES & add all rules in this chain starting from index number 15 in the filter table. ... (1 Reply)
Discussion started by: BhushanPathak
1 Replies

8. Shell Programming and Scripting

Need to Convert the QNX rules to UNIX iptables

Need to convert the QNX rules to Linux ubuntu 12.04. kindly any one help us with any tools (4 Replies)
Discussion started by: mageshkumar
4 Replies

9. UNIX for Advanced & Expert Users

iptables help with rules

Hi, I've been struggling with this all morning and seem to have a blind spot on what the problem is. I'm trying to use iptables to block traffic on a little cluster of raspberry pi's but to allow ssh and ping traffic within it. The cluster has a firewall server with a wifi card connecting to... (4 Replies)
Discussion started by: steadyonabix
4 Replies

10. Cybersecurity

Need help for iptables rules

Hello, I did 2 scripts. The second one is, I hope, more secure. What do you think? Basic connection (no server, no router, no DHCP and the Ipv6 is disabled) #######script one #################### iptables -F iptables -X -t filter iptables -P INPUT DROP iptables -P FORWARD... (6 Replies)
Discussion started by: Thomas342
6 Replies

LEARN ABOUT CENTOS

firewalld.zone

FIREWALLD.ZONE(5)						  firewalld.zone						 FIREWALLD.ZONE(5)

NAME

       firewalld.zone - firewalld zone configuration files

SYNOPSIS

       /etc/firewalld/zones/zone.xml
       /usr/lib/firewalld/zones/zone.xml

DESCRIPTION

       A firewalld zone configuration file contains the information for a zone. These are the zone description, services, ports, icmp-blocks,
       masquerade, forward-ports and rich language rules in an XML file format. The file name has to be zone_name.xml where length of zone_name is
       currently limited to 17 chars.

       This is the structure of a zone configuration file:

	   <?xml version="1.0" encoding="utf-8"?>
	   <zone [version="versionstring"] [target="ACCEPT|%%REJECT%%|DROP"]>
	     [ <short>short description</short> ]
	     [ <description>description</description> ]
	     [ <interface name="string"/> ]
	     [ <source address="address[/mask]"/> ]
	     [ <service name="string"/> ]
	     [ <port port="portid[-portid]" protocol="tcp|udp"/> ]
	     [ <icmp-block name="string"/> ]
	     [ <masquerade/> ]
	     [ <forward-port port="portid[-portid]" protocol="tcp|udp" [to-port="portid[-portid]"] [to-addr="ipv4address"]/> ]
	     [
	       <rule [family="ipv4|ipv6"]>
	       [ <source address="address[/mask]" [invert="bool"]/> ]
	       [ <destination address="address[/mask]" [invert="bool"]/> ]
	       [
		 <service name="string"/> |
		 <port port="portid[-portid]" protocol="tcp|udp"/> |
		 <protocol value="protocol"/> |
		 <icmp-block name="icmptype"/> |
		 <masquerade/> |
		 <forward-port port="portid[-portid]" protocol="tcp|udp" [to-port="portid[-portid]"] [to-addr="address"]/>
	       ]
	       [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> ]
	       [ <audit> [<limit value="rate/duration"/>] </audit> ]
	       [ <accept/> | <reject [type="rejecttype"]/> | <drop/> ]
	       </rule>
	     ]
	   </zone>

       The config can contain these tags and attributes. Some of them are mandatory, others optional.

   zone
       The mandatory zone start and end tag defines the zone. This tag can only be used once in a zone configuration file. There are optional
       attributes for zones:

       version="string"
	   To give the zone a version.

       target="ACCEPT|%%REJECT%%|DROP"
	   Can be used to accept, reject or drop every packet. The ACCEPT target is used in the trusted zone, every packet will be accepted. The
	   %%REJECT%% target is used in the block zone, every packet will be rejected with the default firewalld reject type. The DROP target is
	   used in the drop zone, every packet will be dropped. The default target is {chain}_ZONE_{zone} and will be used if the target is not
	   specified. If other than the default target is used, all settings except interface and source are ignored, because the first rule
	   created in firewall for this zone is 'jump to target'.

   short
       Is an optional start and end tag and is used to give a zone a more readable name.

   description
       Is an optional start and end tag to have a description for a zone.

   interface
       Is an optional empty-element tag and can be used several times. It can be used to bind an interface to a zone. An interface entry has
       exactly one attribute:

       name="string"
	   The name of the interface to be bound to the zone.

   source
       Is an optional empty-element tag and can be used several times. It can be used to bind a source address or source address range to a zone.
       A source entry has exactly one attribute:

       address="address[/mask]"
	   The source to be bound to the zone. The source is either an IP address or a network IP address with a mask for IPv4 or IPv6. The
	   network family (IPv4/IPv6) will be automatically discovered. For IPv4, the mask can be a network mask or a plain number. For IPv6 the
	   mask is a plain number. The use of host names is not supported.

   service
       Is an optional empty-element tag and can be used several times to have more than one service entry enabled. A service entry has exactly one
       attribute:

       name="string"
	   The name of the service to be enabled. To get a list of valid service names firewall-cmd --list=services can be used.

   port
       Is an optional empty-element tag and can be used several times to have more than one port entry. All attributes of a port entry are
       mandatory:

       port="portid[-portid]"
	   The port can either be a single port number portid or a port range portid-portid.

       protocol="tcp|udp"
	   The protocol can either be tcp or udp.

   icmp-block
       Is an optional empty-element tag and can be used several times to have more than one icmp-block entry. Each icmp-block tag has exactly one
       mandatory attribute:

       name="string"
	   The name of the Internet Control Message Protocol (ICMP) type to be blocked. To get a list of valid ICMP types firewall-cmd
	   --list=icmptypes can be used.

   masquerade
       Is an optional empty-element tag. It can be used only once in a zone configuration and is not usable for IPv6. If it's present masquerading
       is enabled for the zone. If you want to enable masquerading, you should enable it in the zone bound to the external interface.

   forward-port
       Is an optional empty-element tag and can be used several times to have more than one port or packet forward entry. This is for IPv4 only.
       Use rich language rules for IPv6. There are mandatory and also optional attributes for forward ports:

       Mandatory attributes:
	   The local port and protocol to be forwarded.

	   port="portid[-portid]"
	       The port can either be a single port number portid or a port range portid-portid.

	   protocol="tcp|udp"
	       The protocol can either be tcp or udp.

       Optional attributes:
	   The destination of the forward. For local forwarding add to-port only. For remote forwarding add to-addr and use to-port optionally if
	   the destination port on the destination machine should be different.

	   to-port="portid[-portid]"
	       The destination port or port range to forward to. If omitted, the value of the port= attribute will be used altogether with the
	       to-addr attribute.

	   to-addr="address"
	       The destination IPv4 IP address.

   rule
       Is an optional element tag and can be used several times to have more than one rich language rule entry.

       The general rule structure:

	   <rule [family="ipv4|ipv6"]/>
	     [ <source address="address[/mask]" [invert="bool"]/> ]
	     [ <destination address="address[/mask]" [invert="bool"]/> ]
	     [
	       <service name="string"/> |
	       <port port="portid[-portid]" protocol="tcp|udp"/> |
	       <protocol value="protocol"/> |
	       <icmp-block name="icmptype"/> |
	       <masquerade/> |
	       <forward-port port="portid[-portid]" protocol="tcp|udp" [to-port="portid[-portid]"] [to-addr="address"]/>
	     ]
	     [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> ]
	     [ <audit> [<limit value="rate/duration"/>] </audit> ]
	     [ <accept/> | <reject [type="rejecttype"]/> | <drop/> ]
	   </rule>

       Rule structure for source black or white listing:

	   <rule [family="ipv4|ipv6"]/>
	     <source address="address[/mask]" [family="bool"]/>
	     [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> ]
	     [ <audit> [<limit value="rate/duration"/>] </audit> ]
	     <accept/> | <reject [type="rejecttype"]/> | <drop/>
	   </rule>

       For a full description on rich language rules, please have a look at firewalld.richlanguage(5).

SEE ALSO

       firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.direct(5), firewalld.icmptype(5),
       firewalld.lockdown-whitelist(5), firewall-offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5), firewalld.zone(5),
       firewalld.zones(5)

NOTES

       firewalld home page at fedorahosted.org:
	   http://fedorahosted.org/firewalld/

       More documentation with examples:
	   http://fedoraproject.org/wiki/FirewallD

AUTHORS

       Thomas Woerner <twoerner@redhat.com>
	   Developer

       Jiri Popelka <jpopelka@redhat.com>
	   Developer

firewalld 0.3.9 														 FIREWALLD.ZONE(5)
All times are GMT -4. The time now is 07:58 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy