[CentOS] 2 questions on CentOS firewall

Wed Jul 20 14:19:47 UTC 2011
Les Mikesell <lesmikesell at gmail.com>

On 7/20/2011 5:51 AM, Timothy Murphy wrote:
>
> Further to my question,
> how can I determine if it is the Billion 5200S modem/router
> that is preventing pings, or if it is the CentOS-6 MicroServer
> attached to the modem/router?
>
> I don't see any reference to ICMP on the modem web-page.
>
> On the other hand the CentOS firewall seems to allow ICMP
> unless explicitly rejected (which I haven't done).
>
> Surely it would be slightly odd for a modem/router
> to reject pings by default?

Do you only have one public IP?  This sort of router is generally 
configured to do one->many source nat for a private network behind it. 
For tcp and udp packets there are more specified fields (port/socket 
info) that can be used to map inbound packets to the right private 
target either with configured entries or the dynamically maintained NAT 
table.  But there's no way to distinguish whether an inbound ping should 
be answered by the modem itself or passed through if you have specified 
a default 'dmz' target.  GRE packets (as used in pptp or router tunnels) 
have a similar problem of not having documented info that can be used to 
track the source NAT when there are multiple active sessions, although 
some routers manage to do it using microsoft conventions in the packets.

> Is there any simple way, short of using something like ethereal,
> of determining if ICMP packets are reaching the computer,
> and being rejected there?

A sniffer like tcpdump or wireshare is the simple way.  However, note 
that these see packets before they hit the host's iptables firewall so 
even if you see packets arriving, they may not be reaching any applications.

-- 
   Les Mikesell
    lesmikesell at gmail.com