No rules work

workino · August 29, 2013, 10:16am

Hello to everyone,
this is my rules:

Flags: X - disabled, I - invalid, D - dynamic
0 chain=output action=drop connection-state=new dst-address=8.8.8.8

1 X ;;; Allow Established connections
chain=input action=accept connection-state=established in-interface=Unidata

2 ;;; Drop Invalid connections
chain=input action=drop connection-state=invalid in-interface=Unidata

3 chain=input action=accept protocol=tcp in-interface=Unidata dst-port=23

4 chain=input action=accept protocol=icmp src-address=77.73.57.160 in-interface=Unidata

5 chain=input action=accept protocol=gre in-interface=Unidata

6 chain=forward action=accept protocol=tcp in-interface=Unidata dst-port=21

7 chain=forward action=accept protocol=tcp in-interface=Unidata dst-port=81

8 ;;; ssh Jabber Server
chain=forward action=accept protocol=tcp in-interface=Unidata dst-port=220

9 ;;; ssh centralino
chain=forward action=accept protocol=tcp in-interface=Unidata dst-port=221

10 chain=forward action=accept protocol=tcp in-interface=Unidata dst-port=443

11 chain=forward action=accept protocol=tcp in-interface=Unidata dst-port=902

12 chain=input action=accept protocol=tcp in-interface=Unidata dst-port=1723

13 chain=input action=accept protocol=tcp in-interface=Unidata dst-port=8291

14 chain=input action=accept protocol=tcp dst-port=8291

15 ;;; openfire web admin
chain=forward action=accept protocol=tcp in-interface=Unidata dst-port=9091

16 chain=forward action=accept protocol=udp in-interface=Unidata dst-port=4500

17 chain=forward action=accept protocol=tcp in-interface=Unidata dst-port=4500

18 ;;; Openfire client port
chain=forward action=accept connection-state=established protocol=tcp in-interface=Unidata dst-port=5222

19 ;;; Openfire SSL client port
chain=forward action=accept connection-state=established protocol=tcp in-interface=Unidata dst-port=5223
20 ;;; Openfire server2server port
chain=forward action=accept connection-state=established protocol=tcp in-interface=Unidata dst-port=5269

21 ;;; Openfire file transfer
chain=forward action=accept connection-state=established protocol=tcp in-interface=Unidata dst-port=7777

22 chain=forward action=accept protocol=udp in-interface=Unidata dst-port=19000-20000

23 chain=forward action=accept protocol=tcp in-interface=Unidata dst-port=5269

24 chain=forward action=accept protocol=tcp in-interface=Unidata dst-port=32400

25 I chain=input action=accept in-interface=AsimSRL

26 chain=input action=jump jump-target=ICMP protocol=icmp

27 chain=output action=jump jump-target=ICMP protocol=icmp

28 chain=ICMP action=reject reject-with=icmp-network-unreachable protocol=icmp

29 ;;; Drop everything else
chain=input action=drop in-interface=Unidata

but neither rule 0 and 29 will work.

i want try to block all ping from internal to wan.

Can anyone help me please?

Thank
Workino

ivtts · August 29, 2013, 3:53pm

I checked the rules (26,28) in itself - as a result I wan `t to ping my router wan (your rules work properly, i recieve message that network is unreachable). But if I add your rule 27, i don’t receive any answer (with message time interval exceeded).
You can try to move these rules on the top of your list of rules.
Also you can disable rule 27 (icmp packets already will be rejected in input chain).

Also you have rule 25
25 chain=input action=accept in-interface=AsimSRLthat allow all traffic from interface AsimSRL to router. If AsimSRL is your local interface than icmp will be work, because that rule above rules that forbid icmp packets. Try to move rules 26,28 above that rule or disable rule 25.