Topic: how to discard icmp ping on SME 6.0.x

[guest]

I would like to do on my SME like lots of SOHO routers can drop or dicard ICMP pings.
Has any one the command or syntax or a how to to do this to the external nic only (eth1)
Thanks

[guest]

I have found this bit of info, that I think is on the right track but I am wanting someone with experience doing this to review and provide suggestion.

## ICMP (ping)
#
# ICMP rules, allow the bare essential types of ICMP only. Ping
# request is blocked, ie we won't respond to someone else's pings,
# but can still ping out.
$IPTABLES -A INPUT  -p icmp  --icmp-type echo-reply \
   -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
$IPTABLES -A INPUT  -p icmp  --icmp-type destination-unreachable \
   -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
$IPTABLES -A INPUT  -p icmp  --icmp-type time-exceeded \
   -s $ANYWHERE -i $WAN_IFACE -j ACCEPT

[boringgit]

I am no Iptables master, but don't you want to "drop" not "accept"?

I also wonder if you need both the "Anywhere" and the "Wan_interface"? I would guess that just blocking all ICMP on the Wan side would do?

Only other thing is that I have no idea if $WAN_INTERFACE is a valid IPtables variable, or if it is designed to be run from within a script? I have used the standard Linux eth0 / eth1 before in IPtables and that has worked.

Sorry am not more help, but I have struggled plenty with IPtables myself in the past. Bright side is that changes apply immediately (remember to delete the rule if it doesn't work before applying a new one), so you can test it without having to reboot every 5 minutes

[Woodbuger]

I believe you can achieve what youre wanting with e-smith-masq-manager-0.1-4 Do a forum search on the rpm to find out more info. The author is Muzo and the given link was dead when I tried it. I have it installed on my SME custom iso 6.0.1-01 box. Most of the settings are over my head but there are several icmp rules there. If you fail to find a link for it let me know and I can e-mail the rpm to you.

Regards,
Woodbuger

[guest]

Appreciate the comments.
I did see the info on Muzo rpm but did not install it as there was no comments from others etc.
I would like to just do the command line entry without an rpm and achieve the desired result and that is whaty I posted as I was sure somone must be doing this.

[RayG]

You can block ICMP traffic by copying the icmp template fragment to the custom directory and editing out the icmp types you want ignored.

Create the custom template directory
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq

Copy the icmp template fragment
cp /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustICMPIn /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/90adjustICMPIn

Edit the custom icmp template fragment
pico /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/90adjustICMPIn

find the section that starts with "my @OKicmpTypes" and comment out the icmp typed you don't want SME to respond to. Then save the file.

Rebuild the template
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq

Restart ip masquerade
service masq restart

Some posters seem to prefer doing a remote access update instead of restarting masq but I'm not entirely sure what the difference is.

[NickR]

Just noticed this thread.  Why not use the SME Stealth setting (set to no by default).

/sbin/e-smith/db configuration setprop masq Stealth yes

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq

service masq restart

[guest]

Ray & Nick,
Thanks for the info, really appreciated.
One last thing, in either example before we test, how do you undo the changes if necessary.
Thanks

[NickR]

Ray & Nick,
Thanks for the info, really appreciated.
One last thing, in either example before we test, how do you undo the changes if necessary.
Thanks

In my method, just replace yes with no on the first line & enter the other 2 lines exactly as shown. ie:

/sbin/e-smith/db configuration setprop masq Stealth no

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq

service masq restart

For Ray's solution:

rm -f /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/90adjustICMPIn

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq

service masq restart

[nb69]

Hello.

I tried this but I made a mistake.

After reading the post I figured I'd try NickR's way but I misread the post and did the following without creating the template and executed the commands directly at the prompt in this order:

Code: [Select]


[root]# /sbin/e-smith/db configuration setprop masq Stealth # yes
[root]# /sbin/e-smith/expand-template /etc/rc.d/init.d/masq
[root]# service masq restart


So I figure what I sould have done is:

Code: [Select]


[root]# mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
[root]# cp /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustICMPIn /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/90adjustICMPIn
[root]# vi /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/90adjustICMPIn

#This is what I entered in the file
#Edit the details with yes to activate stealth or no to disable stealth features
/sbin/e-smith/db configuration setprop masq Stealth yes

[root]# /sbin/e-smith/expand-template /etc/rc.d/init.d/masq
[root]# service masq restart


Is this right?

Also wenever I restart masq I keep getting the following "errors"... is this normal?

Code: [Select]



Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: /etc/init.d/masq: NEW: command not found
iptables v1.2.5: Couldn't load target ipblock_inet':/lib/iptables/libipt_ipblock_inet.so: cannot open shared object file: No such file or directory

Try iptables -h' or 'iptables --help' for more information.
iptables v1.2.5: Couldn't load target ipblock_inet':/lib/iptables/libipt_ipblock_inet.so: cannot open shared object file: No such file or directory

Try iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name
iptables: Table does not exist (do you need to insmod?)
done




Any comments?

thx.

-nb