Firewall filter question/help

cheeze · Sat Feb 09, 2013 10:02 pm

Heya peeps....

Just had an issue with the firewall filter and maybe I'm not quite understanding the way IPTABLES does firewalling.

So my goal is to allow for ICMP traffic destined to the router, but only when sourced from the router. This way the router can source pings/traces/whatever ICMP related for troubleshooting.

I have a firewall rules like this:

14 X ;;; ROUTER PROTECTION | ALLOW ROUTER ICMP | ETHERNET 1
     chain=input action=accept protocol=icmp src-address-type=local in-interface=CENTURYLINK 

15 X ;;; ROUTER PROTECTION | ALLOW ROUTER ICMP | ETHERNET 2
     chain=input action=accept protocol=icmp src-address-type=local in-interface=Ethernet 2

However it still gets caught by my "reject all" down a few rules:

18   ;;; ROUTER PROTECTION | DROP ALL | ETHERNET 1
     chain=input action=drop in-interface=CENTURYLINK 

19   ;;; ROUTER PROTECTION | DROP ALL | ETHERNET 2
     chain=input action=drop in-interface=Ethernet 2

Any reason why this firewall chain doesn't let in the locally sourced ICMP packets? I thought "src-address-type=local" was supposed to be the differentiator....

I also know I have the rules disabled. I do that until I verify why they weren't working. When enabled they still fail....

Thanks

cupis · Sat Feb 09, 2013 11:35 pm

The source address for the ICMP replies is not going to be your routers address. Either just allow all ICMP, or try allowing (related,established) packets through to your router.

JP_Wireless · Sun Feb 10, 2013 12:05 am

with the rule you create, the icmp is only expected from the router's ip on ether 1 & 2 only say, 192.168.1.1 & 10.10.10.1. not the entire block of ip like /24.

Firewall filter question/help

Firewall filter question/help

Re: Firewall filter question/help

Re: Firewall filter question/help

Who is online