Reject icmp packet thru iptables

Shiraz Baig shiraz_baig at yahoo.com
Mon Feb 21 04:35:59 UTC 2005 

Sir, 
I am trying to see the working of iptables. I read the
relevantHOWTOs and tried an experiment to get an icmp
packet rejected. This experiment is from one of the
HOWTOs. But my experiment has not succeeded.

Could someone tell me why my ICMP packet was not
rejected in spite of the fact that rules show that it
should be rejected.

Here is what I did.

Step 1:
I did the following to test that icmp protocol packets
are allowed:
	#ping -c 1 127.0.0.1

I got the response:

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss,
time 0ms
It showed icmp packets can go thru.

Step 2:
I checked the rules to make sure the above fact. 
	#iptables -L
I got the response:
--------- response ----------
Chain INPUT (policy ACCEPT)
target     prot opt source               destination  
      
RH-Lokkit-0-50-INPUT  all  --  anywhere            
anywhere           
................ remaining skipped ............

Step 3:
Now I gave a command to deny the icmp proto packets.
  # iptables -A INPUT  -s 127.0.0.1 -p icmp  -j REJECT

Step 4:
Now I wanted to check that the icmp proto packets are
not allowed.
First I checked the rules.
     #iptables -L
I got the response:
--------- response ---------------------
Chain INPUT (policy ACCEPT)
target     prot opt source               destination  
      
RH-Lokkit-0-50-INPUT  all  --  anywhere            
anywhere           
REJECT     icmp --  localhost.localdomain  anywhere   
       reject-with icmp-port-unreachable 

.................. remaining clipped .............

Step 5:
Now I gave the command ping to see that icmp packets
are rejected.
   # ping -c 1 127.0.0.1

I got the response:
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss,
time 0ms

It showed that the packet was not rejected. It is
stilll allowed to pass thru.

Question
My question is why this packet was not rejected. The
ruleset shows that this packet should be rejected. But
it has been accepted. Why?
bye
shiraz


		
__________________________________ 
Do you Yahoo!? 
The all-new My Yahoo! - What will yours do?
http://my.yahoo.com

More information about the redhat-list mailing list