1. Home
  2. Networking Firewalls
  3. IPCop - Blocking PING on red interface

IPCop - Blocking PING on red interface

To block PING on the RED interface of IPCop I have modified /etc/rc.d/rc.firewall as follows:

OLD:

# Allow ICMP echo-request (ping), all other essential ICMP will be # ESTABLISHED or RELATED, and the rest caught by the default DENY policy /sbin/iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

NEW:

# Allow ICMP echo-request (ping), all other essential ICMP will be # ESTABLISHED or RELATED, and the rest caught by the default DENY policy if [ "$IFACE" != "" ]; then # RED PING /sbin/iptables -A INPUT -p icmp --icmp-type 8 -i $IFACE -j DROP fi /sbin/iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

Where $IFACE is the device connected to the internet (ppp0 on my DSL system). It appears to be working correctly and I can still ping other addresses.

Is the above change the sensible way to do it or should I have added the code to the iptables_red() funtion instead ? The problem I see is that when the red interface is stopped or started then only iptables_red() is called during "rc.firewall reload".

Will it break something if that rule is left in the INPUT chain although the ppp0 interface is down ?

Thanks for any insight you may have on this matter.

Bill

Reply to
Bill Mair
Loading thread data ...

The above wasn't working on initial boot of IPCop because the ppp0 device doesn't exist at the time.

This works great together with the BlockOutTraffic MOD which flushes the CUSTOMINPUT chain when called.

If you aren using that MOD then you'll have to flush it yourself.

So I changed /etc/rc.d/rc.firewall.local to this:

-------------------------------- cut here -------------------------------- #!/bin/sh # Used for private firewall rules # # Drop pings coming in on the RED interface for stealth. # # CUSTOMINPUT is checked before the INPUT chains's default of ACCEPT #

eval $(/usr/local/bin/readhash /var/ipcop/ppp/settings) eval $(/usr/local/bin/readhash /var/ipcop/ethernet/settings) IFACE=`/bin/cat /var/ipcop/red/iface 2> /dev/null | /usr/bin/tr -d '\\012'` if [ -f /var/ipcop/red/device ]; then DEVICE=`/bin/cat /var/ipcop/red/device 2> /dev/null | /usr/bin/tr -d '\\012'` fi

LOGGER="/usr/bin/logger -p daemon.info -t rc.firewall.local -i"

iptables_red() { if [ "$IFACE" != "" ]; then if [ -f /var/ipcop/red/active ]; then # Interface exists and it is active $LOGGER "DROP ping on RED interface: $IFACE." /sbin/iptables -A CUSTOMINPUT -p icmp --icmp-type 8 -i $IFACE -j DROP else # Interface exists but not active, happens on a disconnect. $LOGGER "RED interface $IFACE exists but not active." fi else $LOGGER "RED interface not defined yet." fi }

# See how we were called. case "$1" in start) $LOGGER "Load custom rules" ## add your 'start' rules here #Added for BlockOutTraffic - BEGIN /usr/local/bin/setfwrules #Added for BlockOutTraffic - END iptables_red ;; stop) ## add your 'stop' rules here ;; reload) $LOGGER "Reload custom rules" ## add your 'reload' rules here # # /sbin/iptables -F CUSTOMINPUT # iptables_red # # BlockOutTraffic flushes the CUSTOMINPUT chain # so ust start the local rules again $0 start ;; *) echo "Usage: $0 {start|reload|stop}" esac

-------------------------------- cut here --------------------------------

Hope this helps someone else.

Bill

Reply to
Bill Mair

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.