Fwd: Fwd: [CentOS] HOW to enable traceroute with IPTABLES(SLOVED)

Tue Feb 20 03:30:12 UTC 2007
Indunil Jayasooriya <indunil75 at gmail.com>

Hi all,

That issue is over now. I found why my ESTABLISHED,RELATED rule at the top
of INPUT chain did not work for udp and icmp.

The reason was I have included the protocol as tcp as below
iptables -A INPUT -i eth0  -p tcp -m state --state ESTABLISHED,RELATED -j
ACCEPT

I removed -p tcp from above rule. Now it works for all protocols.

Thanks for your support.


---------- Forwarded message ----------
From: Robert Spangler <lazydog at zoominternet.net>
Date: Feb 20, 2007 2:45 AM
Subject: Re: Fwd: [CentOS] HOW to enable traceroute with IPTABLES
To: Indunil Jayasooriya <indunil75 at gmail.com>

On Mon February 19 2007 00:00, you wrote:

>  I have included ESTABLISHED,RELATED at the top of your INPUT chain as
> below
>
>  #Allow established,related trafffic to come back
>  #(for OUTPUT traffic to come back)
>  iptables -A INPUT -i eth0 -d 192.168.101.60 -p tcp -m state --state
>  ESTABLISHED,RELATED -j ACCEPT
>
>  But without an INPUT statament it does not work. BUT for TCP OUTPUT
> traffice , that will be appilicalbe. But other than tcp (i.e UPD and ICMP
)
> I will have to include a INPUT staement.

I have no INPUT statements for any traffic that is started from my box.  You
will only need INPUT statements for traffic that originates from the
internet
that you want to connect to your box.

>  A few OUTPUT rules that I need INPUT statemet are give below. (not TCP)
>
>  #UDP
>  iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
>  iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

You don't need INPUT statesments for DNS unless you are expecting someone to
connect to your box from the outside.  ESTABLISHED,RELATED should take care
of this for you.

>  #ICMP (for ping www.google.com)
>
>  iptables -A OUTPUT -p icmp -d 64.233.189.104 -j ACCEPT
>  iptables -A INPUT -p icmp -s 64.233.189.104 -j ACCEPT

OK, here there are many diffierent kind of ICMP traffic  To view what is
avaliable try this:

iptables -p icmp -h

With the above INPUT statement you are allowing all types of ICMP packets
into
your system.

>  And this is for TCP  ( it does not nedd a INPUT satatment .it works fine)
>
>  iptables -A OUTPUT -p tcp -o eth0 --dport 22 -j ACCEPT

That is because the reply for the system you are SSH'ing to is already
concidered an ESATBLISHED,RELATED connection which is handled by you
ESTABLISHED,RELATED rule.

>  PLs expalin, why?

I hope that might have cleared up some confusion you were/are having.


--

Regards
Robert

Smile... it increases your face value!


-- 
Thank you
Indunil Jayasooriya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20070220/cebb4764/attachment-0004.html>