Iptables not allowing ICMP requests from remote machines

Question

I've configured my linux router with the following iptables rules

iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i vmbr0 -o eth2 -j ACCEPT 
-A FORWARD -i vmbr0 -o eth1 -j ACCEPT 
-A FORWARD -i eth1 -o vmbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i eth2 -o vmbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT 

eth1 and eth2 are wan interfaces. vmbr0 is my private network. Ping requests to eth2 ip address from a remote machine are being dropped and so are http requests.

How can I fix this?

Answer 1

If you want to allow ICMP ping request, try this:

iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d <eth2_ip> -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s <eth2_ip> -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT

• 8 is code for echo-request
• 0 is code for echo-reply

Answer 2

If the host firewall isn't blocking any ICMP packets, check the kernel parameter relating to ICMP.

$ sysctl net.ipv4.icmp_echo_ignore_all
net.ipv4.icmp_echo_ignore_all = 0

This is normally set in /etc/sysctl.conf; if this host is on the Internet, you generally don't want it to respond to pings (ICMP).

Note, too, that ICMP is neither TCP nor UDP - so you have to allow it with different rules than you would for TCP or UDP.

For debugging purposes, I'd use tcpdump to sniff network traffic on the host - to see what packets are being seen - as well as doing this command:

watch -d iptables -L -v -n

This command will probably show you which rule is being selected, as long as there isn't too much traffic hitting the firewall.

Answer 3

It appears that every rule you have listed is an ACCEPT rule, including the defaults. From that, your configuration should not drop or deny any packet. I think your issue is elsewhere.