Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 11
Hi, In my Ubuntu desktop I implemented Gufw 11.10.2 Firewall GUI. I have secured my firewall by DENYING all incoming and outgoing traffic and allowing some ports for communication. But ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie amithad's Avatar
    Join Date
    Sep 2006
    Location
    Sri Lanka
    Posts
    160

    Lightbulb ICMP Port Numbers


    Hi,

    In my Ubuntu desktop I implemented Gufw 11.10.2 Firewall GUI. I have secured my firewall by DENYING all incoming and outgoing traffic and allowing some ports for communication. But in the GUI, it doesn't allow me to add icmp protocol like SSH. So I need to know the port number/numbers for icmp

  2. #2
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    No port numbers, ping ICMP is a protocol. You need something like this:

    Code:
    iptables -A INPUT -s x.x.x.x -p ICMP --icmp-type 8 -j ACCEPT

  3. #3
    Linux Newbie amithad's Avatar
    Join Date
    Sep 2006
    Location
    Sri Lanka
    Posts
    160
    Thanks Atreyu,

    I did what you said but still the same error message

    ping: sendmsg: Operation not permitted

  4. #4
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Quote Originally Posted by amithad View Post
    I did what you said but still the same error message
    hmm...works for me. did u restart iptables? or did u just add that one command (via an iptables command) on the fly?

    maybe show us your full iptables config, e.g.:

    Code:
    iptables-save
    if you don't have that, then you can do:

    Code:
    iptables -L
    but it is easier (for me!) to see the actual iptables rules. if you have the rules saved to a file, you can show that. e.g., on RHEL, it is /etc/sysconfig/iptables.

  5. #5
    Linux Newbie amithad's Avatar
    Join Date
    Sep 2006
    Location
    Sri Lanka
    Posts
    160
    Dear Atreyu,

    Im using Ubuntu 11.10 Desktop. Since there is no configuration file for iptables in Ubuntu as far as I know, I exported the rules by 'sudo iptables-save > /amitha/firewall.rules' command and in that file the rule that you have given is already there. But still I can't ping by disabling all the outgoing traffic ?? I will attach that file with this post

    Thanks

    # Generated by iptables-save v1.4.10 on Fri Oct 12 17:26:55 2012
    *filter
    :INPUT DROP [84:3801]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [369:37748]
    :ufw-after-forward - [0:0]
    :ufw-after-input - [0:0]
    :ufw-after-logging-forward - [0:0]
    :ufw-after-logging-input - [0:0]
    :ufw-after-logging-output - [0:0]
    :ufw-after-output - [0:0]
    :ufw-before-forward - [0:0]
    :ufw-before-input - [0:0]
    :ufw-before-logging-forward - [0:0]
    :ufw-before-logging-input - [0:0]
    :ufw-before-logging-output - [0:0]
    :ufw-before-output - [0:0]
    :ufw-logging-allow - [0:0]
    :ufw-logging-deny - [0:0]
    :ufw-not-local - [0:0]
    :ufw-reject-forward - [0:0]
    :ufw-reject-input - [0:0]
    :ufw-reject-output - [0:0]
    :ufw-skip-to-policy-forward - [0:0]
    :ufw-skip-to-policy-input - [0:0]
    :ufw-skip-to-policy-output - [0:0]
    :ufw-track-input - [0:0]
    :ufw-track-output - [0:0]
    :ufw-user-forward - [0:0]
    :ufw-user-input - [0:0]
    :ufw-user-limit - [0:0]
    :ufw-user-limit-accept - [0:0]
    :ufw-user-logging-forward - [0:0]
    :ufw-user-logging-input - [0:0]
    :ufw-user-logging-output - [0:0]
    :ufw-user-output - [0:0]
    -A INPUT -j ufw-before-logging-input
    -A INPUT -j ufw-before-input
    -A INPUT -j ufw-after-input
    -A INPUT -j ufw-after-logging-input
    -A INPUT -j ufw-reject-input
    -A INPUT -j ufw-track-input
    -A FORWARD -j ufw-before-logging-forward
    -A FORWARD -j ufw-before-forward
    -A FORWARD -j ufw-after-forward
    -A FORWARD -j ufw-after-logging-forward
    -A FORWARD -j ufw-reject-forward
    -A OUTPUT -j ufw-before-logging-output
    -A OUTPUT -j ufw-before-output
    -A OUTPUT -j ufw-after-output
    -A OUTPUT -j ufw-after-logging-output
    -A OUTPUT -j ufw-reject-output
    -A OUTPUT -j ufw-track-output
    -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
    -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
    -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
    -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
    -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-before-forward -j ufw-user-forward
    -A ufw-before-input -i lo -j ACCEPT
    -A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-input -m state --state INVALID -j ufw-logging-deny
    -A ufw-before-input -m state --state INVALID -j DROP
    -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
    -A ufw-before-input -j ufw-not-local
    -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
    -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
    -A ufw-before-input -j ufw-user-input
    -A ufw-before-output -o lo -j ACCEPT
    -A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-output -j ufw-user-output
    -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
    -A ufw-logging-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
    -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
    -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
    -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
    -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
    -A ufw-not-local -j DROP
    -A ufw-skip-to-policy-forward -j DROP
    -A ufw-skip-to-policy-input -j DROP
    -A ufw-skip-to-policy-output -j DROP
    -A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
    -A ufw-user-input -p tcp -m multiport --dports 135,139,445 -j ACCEPT
    -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 110 -j ACCEPT
    -A ufw-user-input -p udp -m udp --dport 110 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 25 -j ACCEPT
    -A ufw-user-input -p udp -m udp --dport 80 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT
    -A ufw-user-input -p udp -m udp --dport 443 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 53 -j ACCEPT
    -A ufw-user-input -p udp -m udp --dport 53 -j ACCEPT
    -A ufw-user-input -p udp -m udp --dport 25 -j ACCEPT
    -A ufw-user-input -p udp -m udp --dport 110 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
    -A ufw-user-input -p udp -m udp --dport 22 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 5000 -j ACCEPT
    -A ufw-user-input -p udp -m udp --dport 5000 -j ACCEPT
    -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
    -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
    -A ufw-user-limit-accept -j ACCEPT
    -A ufw-user-output -p tcp -m tcp --dport 80 -j ACCEPT
    -A ufw-user-output -p tcp -m multiport --dports 135,139,445 -j ACCEPT
    -A ufw-user-output -p udp -m multiport --dports 137,138 -j ACCEPT
    -A ufw-user-output -p tcp -m tcp --dport 25 -j ACCEPT
    -A ufw-user-output -p tcp -m tcp --dport 110 -j ACCEPT
    -A ufw-user-output -p udp -m udp --dport 110 -j ACCEPT
    -A ufw-user-output -p tcp -m tcp --dport 53 -j ACCEPT
    -A ufw-user-output -p udp -m udp --dport 53 -j ACCEPT
    -A ufw-user-output -p udp -m udp --dport 25 -j ACCEPT
    -A ufw-user-output -p udp -m udp --dport 110 -j ACCEPT
    -A ufw-user-output -p tcp -m tcp --dport 22 -j ACCEPT
    -A ufw-user-output -p udp -m udp --dport 22 -j ACCEPT
    -A ufw-user-output -p tcp -m tcp --dport 443 -j ACCEPT
    -A ufw-user-output -p udp -m udp --dport 443 -j ACCEPT
    -A ufw-user-output -p tcp -m tcp --dport 5000 -j ACCEPT
    -A ufw-user-output -p udp -m udp --dport 5000 -j ACCEPT
    COMMIT
    # Completed on Fri Oct 12 17:26:55 2012

  6. #6
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Quote Originally Posted by amithad View Post
    But still I can't ping by disabling all the outgoing traffic ??
    oh, are you trying to initiate pings FROM your firewalled box? I thought you were trying to disable pings TO it...

  7. #7
    Linux Newbie amithad's Avatar
    Join Date
    Sep 2006
    Location
    Sri Lanka
    Posts
    160
    Sorry for the miscommunication Atreyu

    You are exactly right ! want to ping from the Linux box protected by the firewall

    Thanks

  8. #8
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Quote Originally Posted by amithad View Post
    want to ping from the Linux box protected by the firewall
    that is a heap-load of iptables rules that ufw has generated for you. perhaps there is a more sensible (i.e., app/distro-specific) way to modify the firewall rules. i've never done it myself via ufw, though, and i'm afraid i'll jack up your firewall.

    Perhaps this is along the lines of what you want, though. Check it out and see if it works/helps.

  9. #9
    Linux Newbie amithad's Avatar
    Join Date
    Sep 2006
    Location
    Sri Lanka
    Posts
    160
    Many Thanks Atreyu,

    It worked perfectly Struggle to get this command worked, since my PC crashed for HDD error.

    Thanks

    Amitha

  10. #10
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Glad you got it sorted. You can mark this thread as Solved using the Thread Tools link at the top of the page.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •