Cannot ping from outside while I am using iptables provided by DA

[Misaka]

http://files.directadmin.com/services/all/iptables

I am using this iptables in above and add a feature named "Block IPs" to protect my hosting from the brute-force attack. But now I cannot ping from outside... I want both of them work at the same time. What should I modify in the iptables?
Thanks in advance!

 

[DirectAdmin Support]

Hello,

Ping and Traceroute use ICMP.
I believe you'd just comment out this line from the iptables script to allow icmp (ping) requests:

#drop all ICMP
$IPTABLES -A INPUT -p icmp -j DROP

Just add a # character before $IPTABLES, then restart iptables.

John

 

[Misaka]

Hello,

Ping and Traceroute use ICMP.
I believe you'd just comment out this line from the iptables script to allow icmp (ping) requests:

#drop all ICMP
$IPTABLES -A INPUT -p icmp -j DROP

Just add a # character before $IPTABLES, then restart iptables.

John

I did as your guide. But it seem still does not work...

 

[csgo]

Did you restart iptables? The changes won't take place until you restart the service.

 

[nobaloney]

It's also possible that your upstream's router may be blocking pings. Some do. to verify if this is the case turn off your firewall and see if you can ping. If you can, the problem is with your firewall; if you can't, the problem is upstream.

Jeff

 

[Misaka]

Did you restart iptables? The changes won't take place until you restart the service.

Yes I did restart it.

 

[Misaka]

It's also possible that your upstream's router may be blocking pings. Some do. to verify if this is the case turn off your firewall and see if you can ping. If you can, the problem is with your firewall; if you can't, the problem is upstream.

Jeff

I am using Linode VPS, and the ping future works while I am using the original iptables.

 

[Misaka]

It's also possible that your upstream's router may be blocking pings. Some do. to verify if this is the case turn off your firewall and see if you can ping. If you can, the problem is with your firewall; if you can't, the problem is upstream.

Jeff

Shutting down firewall:
[ OK ]
Starting Firewall:
[ OK ]
FATAL: Module ip_tables not found.
FATAL: Module iptable_filter not found.
FATAL: Module ip_conntrack not found.
FATAL: Module ip_conntrack_ftp not found.

 

[nobaloney]

Which means that your VPS is missing kernel modules which the iptables provided by DirectAdmin staff requires. I'd strongly suggest using an iptables configuration either developed by, or with the help of, your provider, since they're limiting what you can do. You could possibly recompile a kernel with the support for the modules you'd need, but this could fail to work at all on your VPS, and in a worst-case scenario end up with a non-working VPS.

Jeff

 

[Spook]

Hi,
just wanted to add my experience with this.

commenting the line as so: #$IPTABLES -A INPUT -p icmp -j DROP
..allows outgoing ping from the server but didn't allow incoming ping requests

I had to change the rule to: $IPTABLES -A INPUT -p icmp -j ACCEPT
..in order to have both incoming ping and outgoing ping work

I am not sure what all the up/down sides are but I may look into having the iptables script grab IPs from the /usr/local/directadmin/data/admin/ip_whitelist or once I get to step 4 of the KB 380, use the /root/exempt_ips.txt file instead of allowing icmp from all.