4

I am a programmer teaching myself linux admin stuff. I followed this tutorial to setup a firewall on a VPS. As a part of that tutorial, I block all traffic except for web traffic and SSH traffic. I checked to see if my server was vulnerable to ping floods and it seems that I can't ping my server ("request timeout for icmp"). A few quick googles show that Ping uses ICMP which does not use ports. ICMP traffic is still regulated by the firewall, right? Just double checking to make sure I am correctly understanding what is happening. ICMP traffic is still traffic -- it just does not use ports. Hence it is governed by the rules in the iptables commands.

Here is what my iptables look like:

$sudo iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    2   100 fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
 145K 9706K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   10   616 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3457
 3463  222K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
  192 14090 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 81298 packets, 505M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain fail2ban-ssh (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   100 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
$
bernie2436
  • 6,505
  • 22
  • 58
  • 69
  • the output of `iptables-save -c` would be of use. – llua Mar 14 '14 at 03:44
  • ICMP is a protocol type within IP like TCP and UDP. In contrast to those it does not use ports but types and codes (much less than the number of ports). You need allow ICMP separately. And if you want help for your firewall then you should give the output of `iptables -L -nv` rather than the tutorial which led to this configuration. – Hauke Laging Mar 14 '14 at 03:47

2 Answers2

2

You need

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

before the now last rule in INPUT is added.

Furthermore it makes sense to allow other ICMP packets as IP relies on certain error messages:

iptables -A INPUT -p icmp --icmp-type echo-reply -m conntrack --cstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type source-quench -m conntrack --cstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -m conntrack --cstate ESTABLISHED,RELATED -j ACCEPT
Hauke Laging
  • 88,146
  • 18
  • 125
  • 174
  • can I just run those commands to modify iptables do I need to re-run the commands from the tutorial and then append these commands? – bernie2436 Mar 14 '14 at 23:25
  • @akh2103 You may use `iptables -L INPUT --line-numbers` to have the rules numbered and use `iptables -I` instead of `iptables -A` for inserting a rule at a certain position. The whole rule set may be easier to understand if you create a chain `icmp` with these rules and add just one rule to `INPUT`: `iptables -A INPUT -p icmp -j icmp` – Hauke Laging Mar 15 '14 at 00:20
1

Simply use below in command line.

root# echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
root# service network restart
chema989
  • 101
  • 5
prado
  • 920
  • 1
  • 11
  • 33