WARNING: This is a technical geeky post my Internet firewall… friends and family not interested need to read no further…
For friends and family still with me here, iptables is the software in my Internet firewall that keeps the big bad Internet hackers from poking at my computers and causing problems.
I’ve been studying the docs and looking at other people’s examples around cyberspace and got it working… One ot the problems I’ve run into was when I tried to ping out to the world. if I tried to ping www.google.com I got this message back:
ping: sendmsg: operation not permitted
I’m running ubuntu server 10.04LTS as a border gateway/firewall. Lots of discussion on the net, and a few gave me clues but didn’t solve the problem… The hints were that it was a firewall issue… ok.. no worries… here is the code I used to fix the problem:
iptables -A OUTPUT -o $extif -p icmp –icmp-type 0 -j ACCEPT
iptables -A OUTPUT -o $extif -p icmp –icmp-type 8 -j ACCEPT
iptables -A INPUT -i $extif -p icmp –icmp-type 0 -m limit –limit 10/s -j ACCEPT
iptables -A INPUT -i $extif -p icmp –icmp-type 8 -m limit –limit 1/s -j ACCEPT
The problem I had was I couldn’t remember which icmp type was the echo request and which was the echo reply… Time to look at the RFC (for friends and family, RFCs are “Requests For Comments”). They are the specifications on how the Internet works. Ping uses a language called ICMP or “Internet Control Message Protocol” and ICMP is just one of MANY specifications out there. Turns out that the pings I was sending out were being blocked by my own firewall. A ping, known as an echo-request, is type 8 in the spec. The responses, known as echo-replies are type 0 in the spec. I had them backwards. So I fixed it once I figured the problem out, and set it up so my system can also respond to pings from my ISP but you’ll notice I’m limiting stuff on my input to prevent misuse by people on the outside… The four lines above do the following:
Line 1: Allows my machine to send out ping replies.
Line 2: Allows me to send out ping requests
Line 3: Allows replies to pings I send out to come back. I’m limiting the replies in case a hacker tries to flood me with unsolicited replies.
Line 4: Limits incoming ping requests, I’m limiting these to prevent hackers from flooding me with ping requests.
Now when I send pings out I get the replies back instead of bombing out with an error. I don’t claim the limiting I’ve implemented will stop all abuse that hackers might dish out, but it will slow them down enough so our home network will stay up instead of going down cold.