Iptables ping !

 


iptables -A OUTPUT -o eth0 -p icmp -m conntrack --ctstate ! INVALID -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 

 

On peut aller plus finement en gérant le type de réponse icmp.
Remplacez 'adr_ip_gw' par l'adresse ip de votre routeur/passerelle... - celle-ci est précisée comme source ou destination parce que ce type d'ICMP ne doit être envoyé ou reçu que de votre passerelle.

 


iptables -A INPUT -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "ICMP Echo reply"
iptables -A INPUT -p icmp -m icmp --icmp-type 3/0  -m conntrack --ctstate RELATED -j ACCEPT -m comment --comment "ICMP Destination Net Unreachable"
iptables -A INPUT -p icmp -m icmp --icmp-type 3/1  -m conntrack --ctstate RELATED -j ACCEPT -m comment --comment "ICMP Destination Host Unreachable"
iptables -A INPUT -p icmp -m icmp --icmp-type 8  -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "ICMP Echo mssg"
iptables -A INPUT -s adr_ip_gw -p icmp -m icmp --icmp-type 9 -m conntrack --ctstate RELATED -j ACCEPT -m comment --comment "ICMP Router Advert"
iptables -A INPUT -s adr_ip_gw -p icmp -m icmp --icmp-type 10 -m conntrack --ctstate NEW -j ACCEPT -m comment --comment "ICMP Router Select"
iptables -A INPUT -p icmp -m icmp --icmp-type 11  -m conntrack --ctstate RELATED -j ACCEPT -m comment --comment "ICMP Time exceeded"
iptables -A INPUT -p icmp -m icmp --icmp-type 12  -m conntrack --ctstate RELATED -j ACCEPT -m comment --comment "ICMP Param pb"
iptables -A INPUT -p icmp -m icmp --icmp-type 13  -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "ICMP Timestamp mssg"
iptables -A INPUT -p icmp -m icmp --icmp-type 14  -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "ICMP Timestamp reply"
iptables -A INPUT -p icmp -m icmp --icmp-type 17  -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "ICMP Addr Mask mssg"
iptables -A INPUT -s adr_ip_gw -p icmp -m icmp --icmp-type 18  -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "ICMP Addr Mask reply"
iptables -A INPUT -p icmp -m icmp --icmp-type 30  -m conntrack --ctstate NEW,RELATED -j ACCEPT -m comment --comment "ICMP Traceroute"

iptables -A OUTPUT -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 3/0 -m conntrack --ctstate RELATED -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 3/1 -m conntrack --ctstate RELATED -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d adr_ip_gw -p icmp -m icmp --icmp-type 9 -m conntrack --ctstate RELATED -j ACCEPT
iptables -A OUTPUT -d adr_ip_gw -p icmp -m icmp --icmp-type 10 -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 11 -m conntrack --ctstate RELATED -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 12 -m conntrack --ctstate RELATED -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 13 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 14 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 17 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d adr_ip_gw -p icmp -m icmp --icmp-type 18 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 30 -m conntrack --ctstate NEW,RELATED -j ACCEPT
 

 

On peut aussi rejeter les paquets icmp avec un message "interdit" ...


iptables -A OUTPUT -o eth0 -p icmp -j REJECT --reject-with icmp-host-prohibited
iptables -A INPUT -i eth0 -p icmp -j REJECT --reject-with icmp-host-prohibited
 

 

Malheureusement, il n'est pas encore possible de refuser une règle affirmant de rejeter tout paquet ICMP qui n'est pas conforme à un type icmp connu !!!

 


<<| Page : Linux : IpTables : FAQ : ping : |>>


 

 

^ Haut de page ^