Reject icmp packet thru iptables
Shiraz Baig
shiraz_baig at yahoo.com
Mon Feb 21 04:35:59 UTC 2005
Sir,
I am trying to see the working of iptables. I read the
relevantHOWTOs and tried an experiment to get an icmp
packet rejected. This experiment is from one of the
HOWTOs. But my experiment has not succeeded.
Could someone tell me why my ICMP packet was not
rejected in spite of the fact that rules show that it
should be rejected.
Here is what I did.
Step 1:
I did the following to test that icmp protocol packets
are allowed:
#ping -c 1 127.0.0.1
I got the response:
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss,
time 0ms
It showed icmp packets can go thru.
Step 2:
I checked the rules to make sure the above fact.
#iptables -L
I got the response:
--------- response ----------
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere
anywhere
................ remaining skipped ............
Step 3:
Now I gave a command to deny the icmp proto packets.
# iptables -A INPUT -s 127.0.0.1 -p icmp -j REJECT
Step 4:
Now I wanted to check that the icmp proto packets are
not allowed.
First I checked the rules.
#iptables -L
I got the response:
--------- response ---------------------
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere
anywhere
REJECT icmp -- localhost.localdomain anywhere
reject-with icmp-port-unreachable
.................. remaining clipped .............
Step 5:
Now I gave the command ping to see that icmp packets
are rejected.
# ping -c 1 127.0.0.1
I got the response:
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss,
time 0ms
It showed that the packet was not rejected. It is
stilll allowed to pass thru.
Question
My question is why this packet was not rejected. The
ruleset shows that this packet should be rejected. But
it has been accepted. Why?
bye
shiraz
__________________________________
Do you Yahoo!?
The all-new My Yahoo! - What will yours do?
http://my.yahoo.com
More information about the redhat-list
mailing list