1

Why is my CentOS box rejecting some (but not all) ICMP ping requests from the same remote host?

view story
linux-howto

http://serverfault.com – CentOS 4.x I've got several old CentOS 4.x systems and have configured iptables to allow ICMP traffic. Originally, I had an iptables rule that looked like: -A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT That seemed to work fine for awhile but one of our monitoring solutions has a requirement to ping more often than once a second (long story but in short, it's a requirement). To accommodate this, I changed the rule to: -A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT The strange part is that I have this same rule on multiple (HowTos)

u85500's picture
Submitted by u85500 on 09/13/2012

Stories similar to Why is my CentOS box rejecting some (but not all) ICMP ping requests from the same remote host?

I am setuping my server and I must disable the ping requests for everyone except me and a list of hosts (aaa.bbb.ccc.ddd). I am using the tool ufw, on ubuntu server, I read that I have to comment those lines: ok icmp codes

-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --

I have the following rule,which i believe will restrict icmp packets to 1/s.

iptables matching syntax 15 weeks 5 days ago

For the following iptables rule:

iptables -A INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT

I am not sure what the point of "-m" is given that "-p" is already present. Does it serve any purpose in this case?

In iptables, I added the rules as below to limit the incoming icmp request packet rate. But it didn't work. Because after the 1st incoming icmp request was accepted by the 1st rule and my host replied, all the following icmp request will accepted by the 2nd rule, which will accept the incoming icmp request as ESTABLISHED state packet.

filter packet 1 year 4 weeks ago

Exercise: Protection of WEB and DNS servers using the context-free rules for packet filtering: - Protect your WEB-server, so that would be for him can be accessed by browsers, and could go to dns. - Protect your primary DNS-server so that it could be to contact clients and secondary servers. - Allow ICMP ping to / from your site (s). - the rest is declined.

My solution that:

Code:

My question is related to multicasts and iptables.

I want to allow ICMP and IGMP multicasts from the local VLAN 192.168.1.0/24 as well as from 0.0.0.0 on my CentOS machine, so I added the following rules to my inbound chain:

# ACCEPT - Multicast 224.0.0.1 from current VLAN as well as 0.0.0.0 # -- ICMP iptables -A IP-INPUT -s 192.168.1.0/24 -d 224.0.0.1 -m pkttype --pkt-type multicast --protocol

I wanna block ping from outside the company to my server, so I have the following iptables rules:

-A INPUT -p icmp --icmp-type 8 -s ! 192.168.0.0/16 -j DROP -A OUTPUT -p icmp --icmp-type 0 -d ! 192.168.0.0/16 -j DROP

However, the above rules aren't working as expected, I can still ping the server from both inside and outside the company. What's wrong with that?!

I am having trouble connecting to IRC(freenode) because of my iptables.

I tried the following iptables -A INPUT -p tcp --syn --destination-port 6697 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 6697 -j ACCEPT (i use port 6697 because I connect using SSL)

And for pings: iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

Any help would be greatly appreciatted.

I read that certain types¹ of ICMP packets can be harmful. Questions:

Which ones and why? How should I layout an iptables ruleset to handle each type of ICMP packet? Should I rate-limit any of these types of ICMP packets? And how?

[¹] The types I read about: Redirect (5), Timestamp (13) and Address Mask Request (17).