iptables & icmp-host-prohibited

iptables & icmp-host-prohibited

Post by Jason Marti » Sat, 10 Jun 2000 04:00:00



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'd like to have my 2.4.0-test1 machine return icmp-host-prohibited as
it's REJECT message for incoming connections (standard dsl firewalling.)  
"iptables -m icmp -h" lists:

Valid ICMP Types:
echo-reply (pong)
destination-unreachable
[blah blah]
   network-prohibited
   host-prohibited
[blah]

However, "iptables -j REJECT -h" lists
Valid reject types:
    icmp-net-unreachable        ICMP network unreachable
    net-unreach                 alias
    icmp-host-unreachable       ICMP host unreachable
    host-unreach                alias
    icmp-port-unreachable       ICMP port unreachable (default)
    port-unreach                alias
    icmp-proto-unreachable      ICMP protocol unreachable
    proto-unreach               alias
    echo-reply                  for ICMP echo only: faked ICMP echo reply
    echoreply                   alias
"

Is there anyway to send an icmp 'prohibited' instead of "port
unreachable"? I know it is essentially meaningless, but it is just
something I'd like to do.

Thanks,
- -Jason Martin
- --
I distinctly remember forgetting that.
PGP KeyID=0x60FD6DDA
PGP Fingerprint:06 A4 24 E6 EC E2 E2 DE 68 74 1B 0E 9D 8F 27 92 60 FD 6D DA

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5QZUhnY8nkmD9bdoRAkSMAKDKbI/GsuA6AZtzbUVo92540fciWACg9jNB
p8cGkou/yN6/dyY3/z+GcgY=
=tjJW
-----END PGP SIGNATURE-----

 
 
 

iptables & icmp-host-prohibited

Post by bill davids » Sun, 18 Jun 2000 04:00:00




|
| I'd like to have my 2.4.0-test1 machine return icmp-host-prohibited as
| it's REJECT message for incoming connections (standard dsl firewalling.)  
| "iptables -m icmp -h" lists:

  I'll leave the rest for reference below, and return this information.
First, I think that reply is in some way prohibited, or at least
non-standard. The types are defined in linux/icmp.h and a few other
places, and while IPT_ICMP_PORT_UNREACHABLE is defined (3), there
doesn't seem to be any IPT_ICMP_HOST_PROHIBITED in any header file I
could find.

  Now, if you want to code it yourself, the codes you need to use are:
        {   "network-prohibited", 3, 9, 9 },
        {   "host-prohibited", 3, 10, 10 },
        {   "communication-prohibited", 3, 13, 13 },
with the last number being the value of the missing three IPT_xxx
defines. So you can go into the source code for iptables at file
extensions/libipt_REJECT.c and add the extra three reasons, and see what
it does for you.

  I didn't have a spare machine built to give it a try, but I did the
homework and it does compile. I then deleted it before I got tempted
to try it anyway ;-)

| Valid ICMP Types:
| echo-reply (pong)
| destination-unreachable
| [blah blah]
|    network-prohibited
|    host-prohibited
| [blah]
|
| However, "iptables -j REJECT -h" lists
| Valid reject types:
|     icmp-net-unreachable      ICMP network unreachable
|     net-unreach               alias
|     icmp-host-unreachable     ICMP host unreachable
|     host-unreach              alias
|     icmp-port-unreachable     ICMP port unreachable (default)
|     port-unreach              alias
|     icmp-proto-unreachable    ICMP protocol unreachable
|     proto-unreach             alias
|     echo-reply                for ICMP echo only: faked ICMP echo reply
|     echoreply                 alias
| "

--

  "Doing interesting things with little computers since 1979"(tm)
The hardest test of maturity is knowing the difference between
resisting temptation and missing a once-in-a-lifetime opportunity.

 
 
 

1. ICMP HOST cannot build IP Header address to echo ICMP HOST

 this is the error message i get when trying to telnet anywhere but to my
domain serveror ping anything but my domain server i also get it when logged
into any other machine but my domain server even machines on the same net will
recognize dns make an attempt then puke! i assume this a problem in my
config which is preventing the returning or "echoing" of the returns off of
commands that require two way communication i have tried everything that i
know and then some!! please HELP ME !!!!!!!!!!!!
                                    thanks big time in advance


2. hot swap

3. ICMP and ip prohibit rule

4. Linux for net browsing on a 486-dx pc

5. support for ICMP admin prohibited (3/13)

6. nntp service

7. why this icmp message: admin prohibited filter

8. 202MB Buffer Memory on SuSE 7.2 Control Panel Matrox G200

9. hosts.deny && hosts.allow

10. iptables & iptables-save

11. Iptables & rc.firewall from Iptables-Tutorial

12. Sol 2.5 & traceroute & icmp