Hello all,
I am messing around with iptables, trying to learn how it works so that I can build my self a router/firewall and mabey a VPN. Anyway I tried to use a command on my Desktop CentOS3 machine.
"iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP"
now the command seems to have went through because I didn't get any errors, but when I go to ping 127.0.0.1 I am getting a response and my packet loss is 0%. It should be 100% packet loss.
Can anyone tell me what I am doing wrong. I am not trying to do anything yet, just want to learn by exploring.
Thanks all.
__________________________________ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail
On Thu, 12 Aug 2004, scty Library wrote:
I am messing around with iptables, trying to learn how it works so that I can build my self a router/firewall and mabey a VPN. Anyway I tried to use a command on my Desktop CentOS3 machine.
"iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP"
now the command seems to have went through because I didn't get any errors, but when I go to ping 127.0.0.1 I am getting a response and my packet loss is 0%. It should be 100% packet loss.
Can anyone tell me what I am doing wrong. I am not trying to do anything yet, just want to learn by exploring.
Try:
iptables -A INPUT -d 127.0.0.1 -p icmp -j DROP
Since you're pinging 127.0.0.1, that's the destination (-d) address, not the source (-s) address.
-- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- [Any errors in spelling, tact or fact are transmission errors]
No, that did not work either.
--- Dag Wieers dag@wieers.com wrote:
On Thu, 12 Aug 2004, scty Library wrote:
I am messing around with iptables, trying to learn
how
it works so that I can build my self a
router/firewall
and mabey a VPN. Anyway I tried to use a command
on my
Desktop CentOS3 machine.
"iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP"
now the command seems to have went through because
I
didn't get any errors, but when I go to ping
127.0.0.1
I am getting a response and my packet loss is 0%.
It
should be 100% packet loss.
Can anyone tell me what I am doing wrong. I am
not
trying to do anything yet, just want to learn by exploring.
Try:
iptables -A INPUT -d 127.0.0.1 -p icmp -j DROP
Since you're pinging 127.0.0.1, that's the destination (-d) address, not the source (-s) address.
-- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- [Any errors in spelling, tact or fact are transmission errors] _______________________________________________ CentOS mailing list CentOS@caosity.org http://www.caosity.org/mailman/listinfo/centos
__________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail
# DROP PING iptables -A INPUT -p icmp -s 127.0.0.1 -j DROP
-----Original Message----- From: centos-admin@caosity.org [mailto:centos-admin@caosity.org]On Behalf Of scty Library Sent: Thursday, August 12, 2004 2:07 PM To: centos Linux Subject: Re: [Centos] Messing around with iptables
No, that did not work either.
--- Dag Wieers dag@wieers.com wrote:
On Thu, 12 Aug 2004, scty Library wrote:
I am messing around with iptables, trying to learn
how
it works so that I can build my self a
router/firewall
and mabey a VPN. Anyway I tried to use a command
on my
Desktop CentOS3 machine.
"iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP"
now the command seems to have went through because
I
didn't get any errors, but when I go to ping
127.0.0.1
I am getting a response and my packet loss is 0%.
It
should be 100% packet loss.
Can anyone tell me what I am doing wrong. I am
not
trying to do anything yet, just want to learn by exploring.
Try:
iptables -A INPUT -d 127.0.0.1 -p icmp -j DROP
Since you're pinging 127.0.0.1, that's the destination (-d) address, not the source (-s) address.
-- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- [Any errors in spelling, tact or fact are transmission errors] _______________________________________________ CentOS mailing list CentOS@caosity.org http://www.caosity.org/mailman/listinfo/centos
__________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail _______________________________________________ CentOS mailing list CentOS@caosity.org http://www.caosity.org/mailman/listinfo/centos
On Thu, 12 Aug 2004, scty Library wrote:
No, that did not work either.
Allow me to demonstrate this one:
[root@emyn ~]# ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.049 ms 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.047 ms
--- 127.0.0.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 0.047/0.048/0.049/0.001 ms, pipe 2
[root@emyn ~]# iptables -A INPUT -d 127.0.0.1 -p icmp -j DROP
[root@emyn ~]# ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. --- 127.0.0.1 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1002ms
[root@emyn ~]# iptables -L INPUT -xnv Chain INPUT (policy ACCEPT 29425 packets, 14876789 bytes) pkts bytes target prot opt in out source destination 2 168 DROP icmp -- * * 0.0.0.0/0 127.0.0.1
[root@emyn ~]# iptables -D INPUT -d 127.0.0.1 -p icmp -j DROP
[root@emyn ~]# ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.050 ms 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.047 ms
--- 127.0.0.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1017ms rtt min/avg/max/mdev = 0.047/0.048/0.050/0.007 ms, pipe 2
It should be the same for you.
Kind regards, -- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- [Any errors in spelling, tact or fact are transmission errors]
Hello all,
Thanks for all your advice I will probably use one of the distro/products suggested.
I did figure out why it didn't work. I already had the RH firewall enabled so that took precedences. When I disabled it I was then able to use that command and it worked just fine.
Thanks again.
--- Dag Wieers dag@wieers.com wrote:
On Thu, 12 Aug 2004, scty Library wrote:
No, that did not work either.
Allow me to demonstrate this one:
[root@emyn ~]# ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.049 ms 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.047 ms
--- 127.0.0.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 0.047/0.048/0.049/0.001 ms, pipe 2
[root@emyn ~]# iptables -A INPUT -d 127.0.0.1 -p icmp -j DROP
[root@emyn ~]# ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
--- 127.0.0.1 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1002ms
[root@emyn ~]# iptables -L INPUT -xnv Chain INPUT (policy ACCEPT 29425 packets, 14876789 bytes) pkts bytes target prot opt in out source destination 2 168 DROP icmp -- * * 0.0.0.0/0 127.0.0.1
[root@emyn ~]# iptables -D INPUT -d 127.0.0.1 -p icmp -j DROP
[root@emyn ~]# ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.050 ms 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.047 ms
--- 127.0.0.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1017ms rtt min/avg/max/mdev = 0.047/0.048/0.050/0.007 ms, pipe 2
It should be the same for you.
Kind regards, -- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- [Any errors in spelling, tact or fact are transmission errors]
__________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail
If you want to get serious about firewalls, I suggest picking up a good book.
My favorite so far is "Linux Firewalls" by Robert L. Ziegler.
Of course there are tons of resources on the net that can be very helpful too!
Good luck!
-----Original Message----- From: centos-admin@caosity.org [mailto:centos-admin@caosity.org]On Behalf Of scty Library Sent: Friday, August 13, 2004 8:27 AM To: centos Linux Subject: Re: [Centos] Messing around with iptables
Hello all,
Thanks for all your advice I will probably use one of the distro/products suggested.
I did figure out why it didn't work. I already had the RH firewall enabled so that took precedences. When I disabled it I was then able to use that command and it worked just fine.
Thanks again.
--- Dag Wieers dag@wieers.com wrote:
On Thu, 12 Aug 2004, scty Library wrote:
No, that did not work either.
Allow me to demonstrate this one:
[root@emyn ~]# ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.049 ms 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.047 ms
--- 127.0.0.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 0.047/0.048/0.049/0.001 ms, pipe 2
[root@emyn ~]# iptables -A INPUT -d 127.0.0.1 -p icmp -j DROP
[root@emyn ~]# ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
--- 127.0.0.1 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1002ms
[root@emyn ~]# iptables -L INPUT -xnv Chain INPUT (policy ACCEPT 29425 packets, 14876789 bytes) pkts bytes target prot opt in out source destination 2 168 DROP icmp -- * * 0.0.0.0/0 127.0.0.1
[root@emyn ~]# iptables -D INPUT -d 127.0.0.1 -p icmp -j DROP
[root@emyn ~]# ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.050 ms 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.047 ms
--- 127.0.0.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1017ms rtt min/avg/max/mdev = 0.047/0.048/0.050/0.007 ms, pipe 2
It should be the same for you.
Kind regards, -- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- [Any errors in spelling, tact or fact are transmission errors]
__________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail _______________________________________________ CentOS mailing list CentOS@caosity.org http://www.caosity.org/mailman/listinfo/centos
On Fri, 13 Aug 2004, Andrew Cotter wrote:
If you want to get serious about firewalls, I suggest picking up a good book.
My favorite so far is "Linux Firewalls" by Robert L. Ziegler.
Of course there are tons of resources on the net that can be very helpful too!
If you're interested, I've written a small tool as a proof of concept and prototyped it in Bash. It's called Dwall and allows you to set up complex firewalls (ie. with multiple zones) using only a few config-files.
It's actually very simple and allows you to have an overview of what is configured and what changes have been made and when (and by whom). You can download it from:
http://dag.wieers.com/home-made/dwall/
I'm looking for someone who's got the time to re-implement it in Python, but if that doesn't happen and I gain some extra time, I may do that myself :)
Kind regards, -- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- [Any errors in spelling, tact or fact are transmission errors]
On Fri, 2004-08-13 at 08:06, Andrew Cotter wrote:
If you want to get serious about firewalls, I suggest picking up a good book.
My favorite so far is "Linux Firewalls" by Robert L. Ziegler.
Of course there are tons of resources on the net that can be very helpful too!
Good luck!
I use this as a starting point for all my firewalls:
http://ldp.hughesjr.com/HOWTO/IP-Masquerade-HOWTO/stronger-firewall-examples...
Johnny Hughes HughesJR.com
Sorry chiming in a bit late, but the best iptables scripting tool I've found is firehol: http://firehol.sf.net/ It's actively maintained, makes really tight rules, and provides the right level of abstraction for making obvious what you intend the firewall to do without getting bogged down in the arcana of either a scripting language or iptables.
It's especially useful for iptables machines where there's more than one person maintaining the firewall because it keeps the "What the hell were they thinking?!" factor down to a minimum.
And, obviously, if you're just getting started in firewalling it's far better to have something you can understand and make small modifications to, rather than blindly ginning up iptables rules -- a bad firewall is worse than no firewall because it gives you a false sense of security. Firehol's "explain" mode prints out the rules it *would* generate for a given directive to help you undertand iptables.
And, while we're on the subject, I would be remiss if I didn't include a link to a very helpful diagram for understanding iptables: http://l7-filter.sourceforge.net/PacketFlow.png
Cheers -=Eric
iptables -A INPUT -d 127.0.0.1 -p icmp -m icmp --icmp-type 8 -j DROP
DP
On Thu, 2004-08-12 at 11:37, scty Library wrote:
Hello all,
I am messing around with iptables, trying to learn how it works so that I can build my self a router/firewall and mabey a VPN. Anyway I tried to use a command on my Desktop CentOS3 machine.
"iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP"
now the command seems to have went through because I didn't get any errors, but when I go to ping 127.0.0.1 I am getting a response and my packet loss is 0%. It should be 100% packet loss.
Can anyone tell me what I am doing wrong. I am not trying to do anything yet, just want to learn by exploring.
Thanks all.
__________________________________ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail _______________________________________________ CentOS mailing list CentOS@caosity.org http://www.caosity.org/mailman/listinfo/centos
-
Andrew Cotter -
Dag Wieers -
Denis E. Pilon -
Eric Sorenson -
Johnny Hughes -
scty Library