Show Password

Admin Notice

IP Networking

Learn TCP/IP, Internet Protocol, Routing, Routers, Network protocols in this UNIX and Linux forum.

iptables - formatting icmp rules

IP Networking


Thread Tools Search this Thread Display Modes
Old 05-20-2018
CrazyDave CrazyDave is offline
Registered User
Join Date: May 2018
Last Activity: 20 May 2018, 9:21 PM EDT
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
iptables - formatting icmp rules

Hi, I am relatively new to firewalls and netfilter. I have a Debian Stretch router box running dnsmasq, connected to a VPN. Occasionally dnsmasq polls all of the desired DNS servers to select the fastest. When it does this it responds to replies of the non-selected DNS servers with a icmp type three or "host unreachable". My firewall is very strict (I was hacked) and I am controlling sockets. I would like to respond to the DNS servers with this icmp message. I have tried many, many ways but none work, the message keeps on getting dropped. Here is an example rule set for one of the DNS servers:

# Owner: cryptostorm DNS in Langley in CA
-A OUTPUT -o tun0 -m state --state ESTABLISHED,NEW -p tcp --dport 53 -d -j good_out_ips_accept
-A OUTPUT -o tun0 -m state --state ESTABLISHED,NEW -p udp --dport 53 -d -j good_out_ips_accept
-A OUTPUT -m state --state ESTABLISHED,NEW -p icmp -m icmp --icmp-type 3 -d -j good_out_ips_accept
-A OUTPUT -o tun0 -d -j good_out_ips_drop

Here is the rule script:

-N good_out_ips_accept
-N good_out_ips_drop

-- many ips and ranges like above ----

-A good_out_ips_accept -j ACCEPT
-A good_out_ips_drop -j LOG  --log-level info --log-prefix "GOOD O/P IPs -- DROP :"
-A good_out_ips_drop -j DROP

Here is the resulting script from the firewall log:

May 20 16:24:21 gate kernel: [73690.667828] GOOD O/P IPs -- DROP :IN= OUT=tun0 SRC= DST= LEN=152 TOS=0x00 PREC=0xC0 TTL=64 ID=54071 PROTO=ICMP TYPE=3 CODE=3 [SRC= DST= LEN=124 TOS=0x00 PREC=0x00 TTL=57 ID=58899 DF PROTO=UDP SPT=53 DPT=50934 LEN=104 ]

To me the firewall is not seeing the icmp rule for some reason. Can anyone see the problem? Thanks for you help!

---------- Post updated at 06:04 PM ---------- Previous update was at 05:36 PM ----------

Well, I'm replying to my own post 10 minutes after writing it. All I needed was a "RELATED" on the state. I was hesitant to use this state as it seems to open a can of worms on some web sites...
Sponsored Links

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Need help for iptables rules Thomas342 Security 6 01-03-2017 08:30 AM
iptables help with rules steadyonabix UNIX for Advanced & Expert Users 4 01-01-2017 11:52 AM
iptables rules (ubuntu) Greenice Ubuntu 0 02-11-2012 04:55 AM
Editing rules on iptables garric Security 4 09-13-2011 05:22 PM
Iptables rules at boot solaris_user IP Networking 2 01-06-2010 06:49 PM

All times are GMT -4. The time now is 02:30 AM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.