icmp stuff
Dave Taht
dave.taht at gmail.com
Fri Feb 17 23:12:01 UTC 2012
I have not poked into the restricted port range for nat
from the ephemeral pool yet... my concern was that
having a separate ephemeral pool for nat could be a headache.
pouring through the kernel and iptables (netfilter code)
modifiying and/or allowing a new icmp message looks trivial...
# setup, teardown, and several rules elided, and this is
# actually created backwards from how it would be done
# (bottomost rules need to be created first)
# but for clarity...
iptables -A INPUT -i the_gateway_device -j GW_RULES
iptables -A GW_RULES -p tcp -g TCP_RULES # filter TCP one way
iptables -A GW_RULES -p udp -g UDP_RULES # filter UDP another
iptables -A GW_RULES -p icmp -g ICMP_RULES
iptables -A ICMP_RULES -m icmp-type <type/code/typename> # whatever is
decided upon
-j NFLOG some_queue
and you have a listener process on that queue.
ipv6 rules are generally more complex, as TOOBIG, etc are generally
returned.
Further restrictions are possible for the incoming ip addr.
--
Dave Täht
SKYPE: davetaht
US Tel: 1-239-829-5608
http://www.bufferbloat.net
More information about the sdcpe-devel
mailing list