Must I "--icmp-type fragmentation-needed -j ACCEPT"?
Dani Arbel
darbel@techunix.technion.ac.il
Sat, 29 Dec 2001 22:39:50 +0200 (IST)
Bruno,
You have to specificaly allow these icmp packets. From my experience state
related works for ping echo/reply only
Note that the frag. needed is generated by a router on the way and not by
the destination host.
Dani
On Fri, 28 Dec 2001, [iso-8859-1] Bruno Negr=E3o wrote:
> Hello,
>
> I'm configuring my iptables rules. My question is about the FORWARD chain=
=2E I do want the fragmentation-needed packets (icmp TYPE=3D3 CODE=3D4) be =
allowed through my FORWARD chain.
> Since my policy is:
> iptables -P FORWARD DROP
> And I have these rules:
> iptables -A FORWARD -i $INTERNAL_IF -o $EXTERTAL_IF -j ACCEPT
> iptables -A FORWARD -i $EXTERNAL_IF -o $INTERNAL_IF -m state --state ESTA=
BLISHED,RELATED -j ACCEPT
>
> Does it guarantee that the icmp fragmentation-needed packets will be forw=
arded? I mean, when I for example make an ftp connection to a ftp server, i=
f it sends me fragmentation-needed icmp packets, will these packets arrive =
in my box with the states ESTABLISHED or RELATED?
>
> Thank you,
> HAVE A HAPPY NEW YEAR!!
> -------------------------------------------------
> -- Bruno Negr=E3o -- Suporte
> -- Plugway Acesso Internet Ltda.
> -- (31)34812311
> -- bnegrao@plugway.com.br
>