You are not logged in.
- Topics: Active | Unanswered
#1 2018-08-24 16:08:32
- Pryka
- Member
- Registered: 2018-02-07
- Posts: 85
[SOLVED]ICMP on eth0 interface used to connect to VPN
Hi!
Is there any reason to allow ICMP on my eth0 interface -A OUTPUT -o eth0 -p icmp -j ACCEPT and -A INPUT -i eth0 -p icmp -j ACCEPT if I use it only to establish connection to VPN provider? All other traffic is blocked.
And the second question I have:
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPTThose two rules above mean that all input/output connections are allowed, the part I don't understand is, does also are ports and protocols are available?
Last edited by Pryka (2018-08-26 15:18:15)
Offline
#2 2018-08-24 18:46:31
- Condor
- Member
- Registered: 2017-12-01
- Posts: 54
Re: [SOLVED]ICMP on eth0 interface used to connect to VPN
And the second question I have:
iptables -A INPUT -i tun+ -j ACCEPT iptables -A OUTPUT -o tun+ -j ACCEPTThose two rules above mean that all input/output connections are allowed, the part I don't understand is, does also are ports and protocols are available?
You allow all connections through all tun interfaces (the plus sign is a wildcard). Yes, that includes all ports and all protocols.
Offline
#3 2018-08-24 19:49:37
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: [SOLVED]ICMP on eth0 interface used to connect to VPN
Blindly blocking ICMP is a bad idea, due to e.g. path MTU discovery.
Offline
#4 2018-08-26 08:56:13
- Pryka
- Member
- Registered: 2018-02-07
- Posts: 85
Re: [SOLVED]ICMP on eth0 interface used to connect to VPN
Pryka wrote:And the second question I have:
iptables -A INPUT -i tun+ -j ACCEPT iptables -A OUTPUT -o tun+ -j ACCEPTThose two rules above mean that all input/output connections are allowed, the part I don't understand is, does also are ports and protocols are available?
You allow all connections through all tun interfaces (the plus sign is a wildcard). Yes, that includes all ports and all protocols.
Thank you for clarification.
Blindly blocking ICMP is a bad idea, due to e.g. path MTU discovery.
I'm not really blocking it everywhere, its completely allowed on my tun interface. But my primary interface is locked to only establish connection to VPN IP address on a specific port. Everything else is dropped. To be honest I don't really know what IMCP types should be allowed between my and VPN. Because this is the only connection eth0 does.
As for the rest, is running wireshark on my eth0 and checking out if my VPN is sending any IMCP and then altering iptables rules to allow it make any sens?
Offline
#5 2018-08-26 10:19:10
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: [SOLVED]ICMP on eth0 interface used to connect to VPN
For people who haven't got a clue what they're doing, the best option is to *enable* ICMP. It's the solution to potential traffic problems.
The next step would be to allow only particular types of ICMP, along with e.g. rate-limiting.
I would encourage investigation (e.g. data collection using tcpdump, and analysis using wireshark) for education purposes 
Offline
#6 2018-08-26 11:11:44
- Pryka
- Member
- Registered: 2018-02-07
- Posts: 85
Re: [SOLVED]ICMP on eth0 interface used to connect to VPN
I have "iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" on my rule set from what I know it allows some of the ICMP including MTU path discovering.
Anyway will definitely use wireshark to check if there is actually any ICMP traffic incoming from my VPN provider. But to be honest I don't really have any connectivity issues at the moment.
Thanks for the help.
Last edited by Pryka (2018-08-26 11:13:40)
Offline