Topic: Pinging the router from the internet

The content of this topic has been archived on 27 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

eatnumber1

4 Apr 2006, 21:07

For some reason, the router (RC5) responds to pings from the internet. How do I turn this off?

After some research, i found this website which recommends adding the following rules to iptables:

iptables -A proto-icmp -p icmp --icmp-type 3 -j ACCEPT
iptables -A proto-icmp -p icmp --icmp-type 11 -j ACCEPT
iptables -A proto-icmp -p icmp --icmp-type 12 -j ACCEPT
iptables -A proto-icmp -p icmp -j DROP

Adapting this for the openwrt, i tried to put in the first line which was:
iptables -A prerouting_rule -i $WAN -p icmp --icmp-type 3 -j ACCEPT
but I got the following error:
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `icmp'
Try `iptables -h' or 'iptables --help' for more information.
I assume openwrt's iptables does not support icmp matching? Why not? How can i make mine support it?

(Last edited by eatnumber1 on 5 Apr 2006, 02:43)

Post #2

eatnumber1

5 Apr 2006, 03:47

Ok, i just got it working. It did support ICMP matching after all, I was just doing something stupid.

If you want your router to be unpingable from the internet, do the following:

rm /etc/init.d/S45firewall
cp /rom/etc/init.d/S45firewall /etc/init.d

Then use vim to remove the line that has a comment saying accept icmp at the end, and put the following in it's place:

iptables -A INPUT -p icmp --icmp-type 3 -i $WAN -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -i $WAN -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 12 -i $WAN -j ACCEPT
iptables -A INPUT -p icmp -i $WAN -j DROP

That should drop all icmp packets that you don't need for a good connection to the internet.

BIG NOTE: I believe the iptables structure is different in RC4, so unless you KNOW it will work in RC4 (which if u do, tell me) don't do it. I use RC5 so I can say it works there.

As a side note, why isen't this default in the router?

(Last edited by eatnumber1 on 5 Apr 2006, 03:49)

Post #3

olli

5 Apr 2006, 10:09

The correct way is to modify /etc/firewall.user instead of /etc/init.d/S45firewall.

Post #4

eatnumber1

5 Apr 2006, 14:18

I was going to do that, but in S45firewall it inserts a rule to accept all icmp packets. If i modified firewall.user, I would have to delete that rule every time it was run. (or just leave it, it gets inserted after firewall.user, but i'm a prefectionist)

(Last edited by eatnumber1 on 5 Apr 2006, 14:23)

Post #5

redhad

5 Apr 2006, 14:31

Very starnge that your router is pingable. Mine is not: using rc5.

You can do a nessus scan on port-scan.de

And in my s45firewall (default from rc5) is nowhere:

iptables -A INPUT -p icmp --icmp-type 3 -i $WAN -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -i $WAN -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 12 -i $WAN -j ACCEPT
iptables -A INPUT -p icmp -i $WAN -j DROP

(Last edited by redhad on 5 Apr 2006, 14:32)

Post #6

booBot

5 Apr 2006, 14:44

redhad wrote:

Very strange that your router is pingable. Mine is not: using rc5.

Mine is...
Strange indeed.

Post #7

redhad

5 Apr 2006, 14:55

This is the included S45firewall in rc5 (linksys wrt54gs v1)

#!/bin/sh

## Please make changes in /etc/firewall.user

. /etc/functions.sh
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)

## CLEAR TABLES
for T in filter nat; do
  iptables -t $T -F
  iptables -t $T -X
done

iptables -N input_rule
iptables -N output_rule
iptables -N forwarding_rule

iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule

### INPUT
###  (connections with the router as destination)

  # base case
  iptables -P INPUT DROP
  iptables -A INPUT -m state --state INVALID -j DROP
  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j  DROP

  #
  # insert accept rule or to jump to new accept-check table here
  #
  iptables -A INPUT -j input_rule

  # allow
  iptables -A INPUT -i \! $WAN    -j ACCEPT    # allow from lan/wifi interfaces 
  iptables -A INPUT -p icmp    -j ACCEPT    # allow ICMP
  iptables -A INPUT -p gre    -j ACCEPT    # allow GRE

  # reject (what to do with anything not allowed earlier)
  iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
  iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

### OUTPUT
### (connections with the router as source)

  # base case
  iptables -P OUTPUT DROP
  iptables -A OUTPUT -m state --state INVALID -j DROP
  iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

  #
  # insert accept rule or to jump to new accept-check table here
  #
  iptables -A OUTPUT -j output_rule

  # allow
  iptables -A OUTPUT -j ACCEPT        #allow everything out

  # reject (what to do with anything not allowed earlier)
  iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
  iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

### FORWARDING
### (connections routed through the router)

  # base case
  iptables -P FORWARD DROP 
  iptables -A FORWARD -m state --state INVALID -j DROP
  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

  #
  # insert accept rule or to jump to new accept-check table here
  #
  iptables -A FORWARD -j forwarding_rule

  # allow
  iptables -A FORWARD -i br0 -o br0 -j ACCEPT
  iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT

  # reject (what to do with anything not allowed earlier)
  # uses the default -P DROP

### MASQ
  iptables -t nat -A PREROUTING -j prerouting_rule
  iptables -t nat -A POSTROUTING -j postrouting_rule
  iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

## USER RULES
[ -f /etc/firewall.user ] && . /etc/firewall.user
[ -e /etc/config/firewall ] && {
    awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
}

Post #8

redhad

5 Apr 2006, 14:56

scan.sygate.com also says that my router is not pingable.

Post #9

eatnumber1

5 Apr 2006, 15:27

redhad, could you post the output of iptables -L -v
What is probably happening is that to "protect" you, your ISP is blocking ICMP echo requests (Pings)
From what I understand, you don't need to accept any ICMP packets except the 3 i set exceptions to.

As I said before, the rules I setup up top should work.

Post #10

booBot

5 Apr 2006, 15:31

grc.com's ShieldsUp!! reports the received ICMP response.
And scan.sygate.com's Quick scan too.

(Last edited by booBot on 5 Apr 2006, 15:50)

Post #11

redhad

5 Apr 2006, 15:34

root@bastet:~# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID
 3352  262K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp option=!2 flags:SYN/SYN
  715 58038 input_rule  all  --  any    any     anywhere             anywhere
  715 58038 ACCEPT     all  --  !ppp0  any     anywhere             anywhere
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
    0     0 ACCEPT     gre  --  any    any     anywhere             anywhere
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere            reject-with tcp-reset
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID
11923  700K TCPMSS     tcp  --  any    any     anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
 242K  167M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
12268  735K forwarding_rule  all  --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  br0    br0     anywhere             anywhere
 8395  495K ACCEPT     all  --  br0    ppp0    anywhere             anywhere

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID
 3730  740K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
   37  3326 output_rule  all  --  any    any     anywhere             anywhere
   37  3326 ACCEPT     all  --  any    any     anywhere             anywhere
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere            reject-with tcp-reset
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-port-unreachable

Chain forward_ppp0 (1 references)
 pkts bytes target     prot opt in     out     source               destination
  620 31088 ACCEPT     tcp  --  any    any     anywhere             erebos
 3253  209K ACCEPT     udp  --  any    any     anywhere             erebos
    0     0 ACCEPT     tcp  --  any    any     anywhere             sachmet
    0     0 ACCEPT     udp  --  any    any     anywhere             sachmet

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination
 3873  240K forward_ppp0  all  --  ppp0   any     anywhere             anywhere

Chain input_ppp0 (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 input_ppp0  all  --  ppp0   any     anywhere             anywhere

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Post #12

eatnumber1

5 Apr 2006, 18:12

Yep, it looks like your ISP blocks ICMP echo requests.

Note the line
0 0 ACCEPT icmp -- any any anywhere anywhere
That tells the router to accept all ICMP requests, so your ROUTER is setup to accept ICMP, but ure ISP may be blocking it

(Last edited by eatnumber1 on 5 Apr 2006, 18:14)

Post #13

redhad

5 Apr 2006, 18:13

eatnumber1 wrote:

Yep, it looks like your ISP blocks ICMP echo requests

I can assure that my ISP do not block anything.

If I allow (via fwbuilder) ICMP , then I'm pingable.

(Last edited by redhad on 5 Apr 2006, 18:14)

Post #14

eatnumber1

5 Apr 2006, 18:16

that's very odd... you have the same iptables configuration as me, except that u use ppp. Maybe it's ppp related?

Post #15

redhad

5 Apr 2006, 18:17

Make a quick scan on scan.sygate.com

Post #16

eatnumber1

5 Apr 2006, 21:55

My iptables is slightly different, i have the implementation that blocks pings, but before i implemented it, i had ssh'ed into my college's server and ping'ed myself (im not on the school's network) and got responses

(Last edited by eatnumber1 on 6 Apr 2006, 01:56)

Post #17

ziesemer

12 Apr 2006, 09:09

Confirmed here. Just installed RC5, and without any firewall modifications, the router is pingable from the WAN. (But I don't mind! :-) One less configuration option for me to change...

Post #18

candlerb

12 Apr 2006, 10:46

Seems reasonable to me. Many DHCP servers test double-check whether an IP address is in use or not by pinging it. If you blocked pings from the WAN side, it might think the address was free. (I guess it might be better for them to use ARP for this test, but then again, a DHCP server does not necessarily live on the same subnet as its client if DHCP relay is in use)

The discussion might have continued from here.

Page 1 of 1