iptables - formatting icmp rules

ip networking, solved

Login to Reply

Thread Tools Search this Thread
# 1  
Old 05-20-2018
iptables - formatting icmp rules

Hi, I am relatively new to firewalls and netfilter. I have a Debian Stretch router box running dnsmasq, connected to a VPN. Occasionally dnsmasq polls all of the desired DNS servers to select the fastest. When it does this it responds to replies of the non-selected DNS servers with a icmp type three or "host unreachable". My firewall is very strict (I was hacked) and I am controlling sockets. I would like to respond to the DNS servers with this icmp message. I have tried many, many ways but none work, the message keeps on getting dropped. Here is an example rule set for one of the DNS servers:

# Owner: cryptostorm DNS in Langley in CA
-A OUTPUT -o tun0 -m state --state ESTABLISHED,NEW -p tcp --dport 53 -d -j good_out_ips_accept
-A OUTPUT -o tun0 -m state --state ESTABLISHED,NEW -p udp --dport 53 -d -j good_out_ips_accept
-A OUTPUT -m state --state ESTABLISHED,NEW -p icmp -m icmp --icmp-type 3 -d -j good_out_ips_accept
-A OUTPUT -o tun0 -d -j good_out_ips_drop

Here is the rule script:

-N good_out_ips_accept
-N good_out_ips_drop

-- many ips and ranges like above ----

-A good_out_ips_accept -j ACCEPT
-A good_out_ips_drop -j LOG  --log-level info --log-prefix "GOOD O/P IPs -- DROP :"
-A good_out_ips_drop -j DROP

Here is the resulting script from the firewall log:

May 20 16:24:21 gate kernel: [73690.667828] GOOD O/P IPs -- DROP :IN= OUT=tun0 SRC= DST= LEN=152 TOS=0x00 PREC=0xC0 TTL=64 ID=54071 PROTO=ICMP TYPE=3 CODE=3 [SRC= DST= LEN=124 TOS=0x00 PREC=0x00 TTL=57 ID=58899 DF PROTO=UDP SPT=53 DPT=50934 LEN=104 ]

To me the firewall is not seeing the icmp rule for some reason. Can anyone see the problem? Thanks for you help!

---------- Post updated at 06:04 PM ---------- Previous update was at 05:36 PM ----------

Well, I'm replying to my own post 10 minutes after writing it. All I needed was a "RELATED" on the state. I was hesitant to use this state as it seems to open a can of worms on some web sites...
Login to Reply

Thread Tools Search this Thread
Search this Thread:
Advanced Search

Similar Threads More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Need help for iptables rules Thomas342 Security 6 01-03-2017 09:30 AM
iptables help with rules steadyonabix UNIX for Advanced & Expert Users 4 01-01-2017 12:52 PM
Need to Convert the QNX rules to UNIX iptables mageshkumar Shell Programming and Scripting 4 12-04-2015 08:31 AM
Limit transfer speed rate by iptables Rules iLinux85 UNIX for Advanced & Expert Users 0 02-08-2015 03:14 AM
Samba Server not accessible after establishing iptables rules joj123 Red Hat 1 01-19-2015 01:44 PM
Editing iptables rules with custom chain BhushanPathak UNIX for Advanced & Expert Users 1 05-09-2013 11:18 AM
iptables Rules for my network Vaibhav.T Red Hat 0 03-26-2013 07:54 PM
Iptables/Firewall rules for multicast IP. rama krishna Red Hat 0 08-29-2012 05:16 PM
Creating iptables filter rules applicable to both FORWARD and OUTPUT chains haggismn IP Networking 0 07-23-2012 04:20 PM
iptables rules (ubuntu) Greenice Ubuntu 0 02-11-2012 05:55 AM
How iptables directs to localhost in this series of iptable rules Narnie UNIX for Advanced & Expert Users 7 11-04-2011 02:30 PM
Editing rules on iptables garric Security 4 09-13-2011 06:22 PM
Iptables rules at boot solaris_user IP Networking 2 01-06-2010 07:49 PM
SED inserting iptables rules in while loop verbalicious Shell Programming and Scripting 2 12-22-2009 12:12 PM
icmp seccom IP Networking 1 08-01-2001 02:58 PM
All times are GMT -4. The time now is 09:38 PM.

Unix & Linux Forums Content Copyright 1993-2018. All Rights Reserved.
Show Password

Not a Forum Member?
Forgot Password?