Hello All,
I want to know how different IPtables rules are from that of tweaking directly the IPstack parameters for options like turning of icmp msg or disabling source route or other ip header options.
Why do we need them?
Is it ok if i directly change the IP stack parameters? should i use IPtables for these?
Thanks
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
What specifically are you wanting to do? You can manually edit
NetFilter using the iptables command at any time, but unless you make
your changes persistent by applying it in a file that is loaded at boot
a reboot will lose your changes (perhaps that’s what you want, but if
not keep it in mind). Also be careful as you can lock yourself out of a
box (network-wise) with one little iptables command so be sure you have
a way to get back in when (not if) you do that.
Good luck.
ninja123 wrote:
> Hello All,
>
>
> I want to know how different IPtables rules are from that of tweaking
> directly the IPstack parameters for options like turning of icmp msg or
> disabling source route or other ip header options.
>
> Why do we need them?
>
> Is it ok if i directly change the IP stack parameters? should i use
> IPtables for these?
>
> Thanks
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJica53s42bA80+9kRAqrxAJkBPajQHB3a4odL0XXGZcJ8ua4rFQCeNee2
A+g9zjTLMslDVwXkKTmrY1I=
=TSOe
-----END PGP SIGNATURE-----
Thanks a lot.
I already have the IPtable rules as a file and I call this during boot.
However what I would like to know is how abt just directly sayng
echo “0” > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
How different is the impact??
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Well my understanding is that tinkering in proc is changing settings in
the kernel in realtime, which is fine (though I have no idea why you
would want to enable response to broadcast ICMP like you are suggesting
below) and NetFilter is a framework that provides hooks within the
kernel which can be manipulated by the iptables command. Both are
kernel-level, though the /proc filesystem always seems a bit more
rudimentary, though that’s just because throwing 0s or 1s into a file to
change a setting on the fly is so much fun… Anyway, what are you
really trying to do in the end? Do you really want to enable responses
to broadcast ICMP? What tasks can you do in both? If you can do
something in both places perhaps use sysctl to set the values’ defaults
and still use iptables to provide a layer there. There are a lot of
docs online about the two components of the kernel worth reading that
I’ve found with some quick Googling.
Good luck.
ninja123 wrote:
> Thanks a lot.
>
> I already have the IPtable rules as a file and I call this during
> boot.
> However what I would like to know is how abt just directly sayng
> echo “0” > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> How different is the impact??
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJiveh3s42bA80+9kRAvglAJsH/Zs8WFqR7d++/kb/eb5tX0TzHwCfYa5b
w12HvA+kFqurrmfUBvBJaiI=
=18wz
-----END PGP SIGNATURE-----
oops!
I only wanted to turn of ICMP broadcast. i meant to put ‘1’ typo error!! thanks
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On my system that is the default… is it not on yours as well?
Checking an OpenSuSE 11.1 x86_64 box I also see that ‘1’ is the default.
Maybe you’re just working too hard.
Good luck.
ninja123 wrote:
> oops!
> I only wanted to turn of ICMP broadcast. i meant to put ‘1’ typo
> error!! thanks
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJjEMi3s42bA80+9kRAhv6AJ9ETlJakKMIbejZy23AM4X2oxCwTQCgg9D6
SOoSLi1QSp9qyXEJVX/xo8A=
=s/mS
-----END PGP SIGNATURE-----
iptables(8) does not manipulate hooks. (Perhaps reread the WP articles.)