Iptables ping !
iptables -A OUTPUT -o eth0 -p icmp -m conntrack --ctstate ! INVALID -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
On peut aller plus finement en gérant le type de réponse icmp.
Remplacez 'adr_ip_gw' par l'adresse ip de votre routeur/passerelle...
- celle-ci est précisée comme source ou destination parce que ce type d'ICMP ne
doit être envoyé ou reçu que de votre passerelle.
iptables -A INPUT -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "ICMP Echo reply"
iptables -A INPUT -p icmp -m icmp --icmp-type 3/0 -m conntrack --ctstate RELATED -j ACCEPT -m comment --comment "ICMP Destination Net Unreachable"
iptables -A INPUT -p icmp -m icmp --icmp-type 3/1 -m conntrack --ctstate RELATED -j ACCEPT -m comment --comment "ICMP Destination Host Unreachable"
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "ICMP Echo mssg"
iptables -A INPUT -s adr_ip_gw -p icmp -m icmp --icmp-type 9 -m conntrack --ctstate RELATED -j ACCEPT -m comment --comment "ICMP Router Advert"
iptables -A INPUT -s adr_ip_gw -p icmp -m icmp --icmp-type 10 -m conntrack --ctstate NEW -j ACCEPT -m comment --comment "ICMP Router Select"
iptables -A INPUT -p icmp -m icmp --icmp-type 11 -m conntrack --ctstate RELATED -j ACCEPT -m comment --comment "ICMP Time exceeded"
iptables -A INPUT -p icmp -m icmp --icmp-type 12 -m conntrack --ctstate RELATED -j ACCEPT -m comment --comment "ICMP Param pb"
iptables -A INPUT -p icmp -m icmp --icmp-type 13 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "ICMP Timestamp mssg"
iptables -A INPUT -p icmp -m icmp --icmp-type 14 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "ICMP Timestamp reply"
iptables -A INPUT -p icmp -m icmp --icmp-type 17 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "ICMP Addr Mask mssg"
iptables -A INPUT -s adr_ip_gw -p icmp -m icmp --icmp-type 18 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "ICMP Addr Mask reply"
iptables -A INPUT -p icmp -m icmp --icmp-type 30 -m conntrack --ctstate NEW,RELATED -j ACCEPT -m comment --comment "ICMP Traceroute"
iptables -A OUTPUT -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 3/0 -m conntrack --ctstate RELATED -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 3/1 -m conntrack --ctstate RELATED -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d adr_ip_gw -p icmp -m icmp --icmp-type 9 -m conntrack --ctstate RELATED -j ACCEPT
iptables -A OUTPUT -d adr_ip_gw -p icmp -m icmp --icmp-type 10 -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 11 -m conntrack --ctstate RELATED -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 12 -m conntrack --ctstate RELATED -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 13 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 14 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 17 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d adr_ip_gw -p icmp -m icmp --icmp-type 18 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 30 -m conntrack --ctstate NEW,RELATED -j ACCEPT
On peut aussi rejeter les paquets icmp avec un message "interdit" ...
iptables -A OUTPUT -o eth0 -p icmp -j REJECT --reject-with icmp-host-prohibited
iptables -A INPUT -i eth0 -p icmp -j REJECT --reject-with icmp-host-prohibited
Malheureusement, il n'est pas encore possible de refuser une règle affirmant de rejeter tout paquet ICMP qui n'est pas conforme à un type icmp connu !!!
<<| Page : Linux : IpTables : FAQ : ping : |>>