Delay when iptables icmp rules take effect












3














I have setup my iptables to disable all incoming connection, i.e.



:INPUT DROP [0:65535]


When the iptables has been started, I run the following command to enable ping:



/usr/sbin/iptables -A INPUT -m icmp --icmp-state 8 -j ACCEPT

/usr/sbin/iptables -A INPUT -m icmp --icmp-state 0 -j ACCEPT


I saw the iptables rules are added from /etc/init.d/iptables status. I can ping the device from both Windows and Linux PC. Now I run the following command to remove them:



/usr/sbin/iptables -D INPUT -m icmp --icmp-state 8 -j ACCEPT

/usr/sbin/iptables -D INPUT -m icmp --icmp-state 0 -j ACCEPT


I saw the iptables rules are removed from /etc/init.d/iptables status. I cannot ping the device from Linux PC which is expected. However, I can ping the device from Windows PC for 1-2 minutes and then I cannot ping it afterwards.



I do not ping the device indefinitely (i.e. without -t) from my Windows XP PC but why do I get this results?






iptables firewall icmp







share|improve this question
























  • Do you have any rules that accept an RELATED or ESTABLISH state?
    – cuonglm
    Aug 15 '14 at 16:07










  • Yes, I have added this in my /etc/sysconfig/iptables (i.e. -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT).
    – chesschi
    Aug 15 '14 at 16:09












  • Can you give your INPUT chain?
    – cuonglm
    Aug 15 '14 at 16:12










  • -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 127.0.0.0/255.0.0.0 -j ACCEPT then it's accepting other TCP/UDP ports
    – chesschi
    Aug 15 '14 at 16:14












  • So what is order of this rule? Is it before or after ICMP rules?
    – cuonglm
    Aug 15 '14 at 16:17
















3














I have setup my iptables to disable all incoming connection, i.e.



:INPUT DROP [0:65535]


When the iptables has been started, I run the following command to enable ping:



/usr/sbin/iptables -A INPUT -m icmp --icmp-state 8 -j ACCEPT

/usr/sbin/iptables -A INPUT -m icmp --icmp-state 0 -j ACCEPT


I saw the iptables rules are added from /etc/init.d/iptables status. I can ping the device from both Windows and Linux PC. Now I run the following command to remove them:



/usr/sbin/iptables -D INPUT -m icmp --icmp-state 8 -j ACCEPT

/usr/sbin/iptables -D INPUT -m icmp --icmp-state 0 -j ACCEPT


I saw the iptables rules are removed from /etc/init.d/iptables status. I cannot ping the device from Linux PC which is expected. However, I can ping the device from Windows PC for 1-2 minutes and then I cannot ping it afterwards.



I do not ping the device indefinitely (i.e. without -t) from my Windows XP PC but why do I get this results?






iptables firewall icmp







share|improve this question
























  • Do you have any rules that accept an RELATED or ESTABLISH state?
    – cuonglm
    Aug 15 '14 at 16:07










  • Yes, I have added this in my /etc/sysconfig/iptables (i.e. -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT).
    – chesschi
    Aug 15 '14 at 16:09












  • Can you give your INPUT chain?
    – cuonglm
    Aug 15 '14 at 16:12










  • -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 127.0.0.0/255.0.0.0 -j ACCEPT then it's accepting other TCP/UDP ports
    – chesschi
    Aug 15 '14 at 16:14












  • So what is order of this rule? Is it before or after ICMP rules?
    – cuonglm
    Aug 15 '14 at 16:17














3












3








3







I have setup my iptables to disable all incoming connection, i.e.



:INPUT DROP [0:65535]


When the iptables has been started, I run the following command to enable ping:



/usr/sbin/iptables -A INPUT -m icmp --icmp-state 8 -j ACCEPT

/usr/sbin/iptables -A INPUT -m icmp --icmp-state 0 -j ACCEPT


I saw the iptables rules are added from /etc/init.d/iptables status. I can ping the device from both Windows and Linux PC. Now I run the following command to remove them:



/usr/sbin/iptables -D INPUT -m icmp --icmp-state 8 -j ACCEPT

/usr/sbin/iptables -D INPUT -m icmp --icmp-state 0 -j ACCEPT


I saw the iptables rules are removed from /etc/init.d/iptables status. I cannot ping the device from Linux PC which is expected. However, I can ping the device from Windows PC for 1-2 minutes and then I cannot ping it afterwards.



I do not ping the device indefinitely (i.e. without -t) from my Windows XP PC but why do I get this results?






iptables firewall icmp







share|improve this question















I have setup my iptables to disable all incoming connection, i.e.



:INPUT DROP [0:65535]


When the iptables has been started, I run the following command to enable ping:



/usr/sbin/iptables -A INPUT -m icmp --icmp-state 8 -j ACCEPT

/usr/sbin/iptables -A INPUT -m icmp --icmp-state 0 -j ACCEPT


I saw the iptables rules are added from /etc/init.d/iptables status. I can ping the device from both Windows and Linux PC. Now I run the following command to remove them:



/usr/sbin/iptables -D INPUT -m icmp --icmp-state 8 -j ACCEPT

/usr/sbin/iptables -D INPUT -m icmp --icmp-state 0 -j ACCEPT


I saw the iptables rules are removed from /etc/init.d/iptables status. I cannot ping the device from Linux PC which is expected. However, I can ping the device from Windows PC for 1-2 minutes and then I cannot ping it afterwards.



I do not ping the device indefinitely (i.e. without -t) from my Windows XP PC but why do I get this results?






iptables firewall icmp




iptables firewall icmp






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Aug 15 '14 at 16:27









Braiam

23.1k1976137




23.1k1976137










asked Aug 15 '14 at 15:57









chesschi

162




162












  • Do you have any rules that accept an RELATED or ESTABLISH state?
    – cuonglm
    Aug 15 '14 at 16:07










  • Yes, I have added this in my /etc/sysconfig/iptables (i.e. -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT).
    – chesschi
    Aug 15 '14 at 16:09












  • Can you give your INPUT chain?
    – cuonglm
    Aug 15 '14 at 16:12










  • -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 127.0.0.0/255.0.0.0 -j ACCEPT then it's accepting other TCP/UDP ports
    – chesschi
    Aug 15 '14 at 16:14












  • So what is order of this rule? Is it before or after ICMP rules?
    – cuonglm
    Aug 15 '14 at 16:17


















  • Do you have any rules that accept an RELATED or ESTABLISH state?
    – cuonglm
    Aug 15 '14 at 16:07










  • Yes, I have added this in my /etc/sysconfig/iptables (i.e. -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT).
    – chesschi
    Aug 15 '14 at 16:09












  • Can you give your INPUT chain?
    – cuonglm
    Aug 15 '14 at 16:12










  • -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 127.0.0.0/255.0.0.0 -j ACCEPT then it's accepting other TCP/UDP ports
    – chesschi
    Aug 15 '14 at 16:14












  • So what is order of this rule? Is it before or after ICMP rules?
    – cuonglm
    Aug 15 '14 at 16:17
















Do you have any rules that accept an RELATED or ESTABLISH state?
– cuonglm
Aug 15 '14 at 16:07




Do you have any rules that accept an RELATED or ESTABLISH state?
– cuonglm
Aug 15 '14 at 16:07












Yes, I have added this in my /etc/sysconfig/iptables (i.e. -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT).
– chesschi
Aug 15 '14 at 16:09






Yes, I have added this in my /etc/sysconfig/iptables (i.e. -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT).
– chesschi
Aug 15 '14 at 16:09














Can you give your INPUT chain?
– cuonglm
Aug 15 '14 at 16:12




Can you give your INPUT chain?
– cuonglm
Aug 15 '14 at 16:12












-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 127.0.0.0/255.0.0.0 -j ACCEPT then it's accepting other TCP/UDP ports
– chesschi
Aug 15 '14 at 16:14






-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 127.0.0.0/255.0.0.0 -j ACCEPT then it's accepting other TCP/UDP ports
– chesschi
Aug 15 '14 at 16:14














So what is order of this rule? Is it before or after ICMP rules?
– cuonglm
Aug 15 '14 at 16:17




So what is order of this rule? Is it before or after ICMP rules?
– cuonglm
Aug 15 '14 at 16:17










4 Answers
4






active

oldest

votes


















1














From all information you provided, I only guess that when you delete the rules, your Linux PC's ip address is not in iptables conntrack table anymore, so its traffic is dropped. The Windows PC's ip address may still appear in conntrack table, so its traffic is accepted.



iptables process each rule, from top to bottom. So the order of rules you defined in iptables is very important. In your case, your chain INPUT look like:



-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -s 127.0.0.0/255.0.0.0 -j ACCEPT

....

-A INPUT -m icmp --icmp-state 8 -j ACCEPT

-A INPUT -m icmp --icmp-state 0 -j ACCEPT


So you can see, even if you delete ICMP rules, if the client connection is in conntrack table, it's still accepted by iptables.



You can read about iptables conntrack table here:




When a connection has seen traffic in both directions, the conntrack
entry will erase the [UNREPLIED] flag, and then reset it. The entry
that tells us that the connection has not seen any traffic in both
directions, will be replaced by the [ASSURED] flag, to be found close
to the end of the entry. The [ASSURED] flag tells us that this
connection is assured and that it will not be erased if we reach the
maximum possible tracked connections. Thus, connections marked as
[ASSURED] will not be erased, contrary to the non-assured connections
(those not marked as [ASSURED]). How many connections that the
connection tracking table can hold depends upon a variable that can be
set through the ip-sysctl functions in recent kernels. The default
value held by this entry varies heavily depending on how much memory
you have. On 128 MB of RAM you will get 8192 possible entries, and at
256 MB of RAM, you will get 16376 entries. You can read and set your
settings through the /proc/sys/net/ipv4/ip_conntrack_max setting.







share|improve this answer





















  • Is there a way to change this behaviour? I have tried to ping from two Windows PC (one XP and one Windows 7) but both of them have this problem.
    – chesschi
    Aug 15 '14 at 16:36












  • I'm not sure. But I guess Windows may have some entry in registry to edit the time to keep connection alive.
    – cuonglm
    Aug 15 '14 at 16:39



















1














iptables maintains some state about previous/current connections which can cause changes you issue to iptables to seem to have a delay in being applied. To see and manipulate the state, you first need to have conntrack installed:



sudo apt-get conntrack


With that, you can then issue



sudo conntrack -L


to see a list of previous/current connections in the state.



You can clear this state completely by running



sudo conntrack -F


However, this will kill any currently open connections even if the current rules in effect would still allow them. You can be more fine-grained with what you can remove from the state table. Run



sudo conntrack


to get some basic help on the command. You typically are dealing with the "conntrack" table, which is what the command operates on if the table is not specified. For example, for my use case of turning on or off a NAT, I would run



sudo conntrack -D --any-nat


after issuing the appropriate iptables command to turn the nat off or on.






share|improve this answer





























    0














    You can explicitly block the ICMP protocol by adding the rule at the beginning of your ruleset:



    iptables -I INPUT -p icmp -j DROP



    One thing to note, the RELATED,ESTABLISHED rule should be the last rule in your ruleset. Otherwise the ESTABLISHED state will match packets that are meant to match other rules eventually throwing off your counters and making debugging a nightmare, such as what you're currently experiencing






    share|improve this answer





























      0














      this is normal behavior and what RELATED,ESTABLISHED is supposed to do



      "the RELATED,ESTABLISHED rule should be the last rule in your rulese" is complete nonsense, you don't want hop through the whole chain for every answer package and without an explicit reject/drop before it won't change the behavior anyways but making processing every single package more expensive because it's evaluating every rule and the last one accepts it



      have fun pass the 838 million packages through 27 rules in the forward chain for no good reason - a proper ruleset is ordered by the rules with most hits on top and a final reject/drop rule at the end



      Chain FORWARD (policy DROP 0 packets, 0 bytes)
      num pkts bytes target prot opt in out source destination
      1 838M 852G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
      2 35M 1912M INBOUND all -- wan lan 0.0.0.0/0 0.0.0.0/0 0






      share|improve this answer





















        Your Answer








        StackExchange.ready(function() {
        var channelOptions = {
        tags: "".split(" "),
        id: "106"
        };
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function() {
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled) {
        StackExchange.using("snippets", function() {
        createEditor();
        });
        }
        else {
        createEditor();
        }
        });

        function createEditor() {
        StackExchange.prepareEditor({
        heartbeatType: 'answer',
        autoActivateHeartbeat: false,
        convertImagesToLinks: false,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: null,
        bindNavPrevention: true,
        postfix: "",
        imageUploader: {
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        },
        onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        });


        }
        });














        draft saved

        draft discarded


















        StackExchange.ready(
        function () {
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f150430%2fdelay-when-iptables-icmp-rules-take-effect%23new-answer', 'question_page');
        }
        );

        Post as a guest















        Required, but never shown

























        4 Answers
        4






        active

        oldest

        votes








        4 Answers
        4






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes









        1














        From all information you provided, I only guess that when you delete the rules, your Linux PC's ip address is not in iptables conntrack table anymore, so its traffic is dropped. The Windows PC's ip address may still appear in conntrack table, so its traffic is accepted.



        iptables process each rule, from top to bottom. So the order of rules you defined in iptables is very important. In your case, your chain INPUT look like:



        -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        
-A INPUT -s 127.0.0.0/255.0.0.0 -j ACCEPT
        
....
        
-A INPUT -m icmp --icmp-state 8 -j ACCEPT
        
-A INPUT -m icmp --icmp-state 0 -j ACCEPT


        So you can see, even if you delete ICMP rules, if the client connection is in conntrack table, it's still accepted by iptables.



        You can read about iptables conntrack table here:




        When a connection has seen traffic in both directions, the conntrack
        entry will erase the [UNREPLIED] flag, and then reset it. The entry
        that tells us that the connection has not seen any traffic in both
        directions, will be replaced by the [ASSURED] flag, to be found close
        to the end of the entry. The [ASSURED] flag tells us that this
        connection is assured and that it will not be erased if we reach the
        maximum possible tracked connections. Thus, connections marked as
        [ASSURED] will not be erased, contrary to the non-assured connections
        (those not marked as [ASSURED]). How many connections that the
        connection tracking table can hold depends upon a variable that can be
        set through the ip-sysctl functions in recent kernels. The default
        value held by this entry varies heavily depending on how much memory
        you have. On 128 MB of RAM you will get 8192 possible entries, and at
        256 MB of RAM, you will get 16376 entries. You can read and set your
        settings through the /proc/sys/net/ipv4/ip_conntrack_max setting.







        share|improve this answer





















        • Is there a way to change this behaviour? I have tried to ping from two Windows PC (one XP and one Windows 7) but both of them have this problem.
          – chesschi
          Aug 15 '14 at 16:36












        • I'm not sure. But I guess Windows may have some entry in registry to edit the time to keep connection alive.
          – cuonglm
          Aug 15 '14 at 16:39
















        1














        From all information you provided, I only guess that when you delete the rules, your Linux PC's ip address is not in iptables conntrack table anymore, so its traffic is dropped. The Windows PC's ip address may still appear in conntrack table, so its traffic is accepted.



        iptables process each rule, from top to bottom. So the order of rules you defined in iptables is very important. In your case, your chain INPUT look like:



        -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        
-A INPUT -s 127.0.0.0/255.0.0.0 -j ACCEPT
        
....
        
-A INPUT -m icmp --icmp-state 8 -j ACCEPT
        
-A INPUT -m icmp --icmp-state 0 -j ACCEPT


        So you can see, even if you delete ICMP rules, if the client connection is in conntrack table, it's still accepted by iptables.



        You can read about iptables conntrack table here:




        When a connection has seen traffic in both directions, the conntrack
        entry will erase the [UNREPLIED] flag, and then reset it. The entry
        that tells us that the connection has not seen any traffic in both
        directions, will be replaced by the [ASSURED] flag, to be found close
        to the end of the entry. The [ASSURED] flag tells us that this
        connection is assured and that it will not be erased if we reach the
        maximum possible tracked connections. Thus, connections marked as
        [ASSURED] will not be erased, contrary to the non-assured connections
        (those not marked as [ASSURED]). How many connections that the
        connection tracking table can hold depends upon a variable that can be
        set through the ip-sysctl functions in recent kernels. The default
        value held by this entry varies heavily depending on how much memory
        you have. On 128 MB of RAM you will get 8192 possible entries, and at
        256 MB of RAM, you will get 16376 entries. You can read and set your
        settings through the /proc/sys/net/ipv4/ip_conntrack_max setting.







        share|improve this answer





















        • Is there a way to change this behaviour? I have tried to ping from two Windows PC (one XP and one Windows 7) but both of them have this problem.
          – chesschi
          Aug 15 '14 at 16:36












        • I'm not sure. But I guess Windows may have some entry in registry to edit the time to keep connection alive.
          – cuonglm
          Aug 15 '14 at 16:39














        1












        1








        1






        From all information you provided, I only guess that when you delete the rules, your Linux PC's ip address is not in iptables conntrack table anymore, so its traffic is dropped. The Windows PC's ip address may still appear in conntrack table, so its traffic is accepted.



        iptables process each rule, from top to bottom. So the order of rules you defined in iptables is very important. In your case, your chain INPUT look like:



        -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        
-A INPUT -s 127.0.0.0/255.0.0.0 -j ACCEPT
        
....
        
-A INPUT -m icmp --icmp-state 8 -j ACCEPT
        
-A INPUT -m icmp --icmp-state 0 -j ACCEPT


        So you can see, even if you delete ICMP rules, if the client connection is in conntrack table, it's still accepted by iptables.



        You can read about iptables conntrack table here:




        When a connection has seen traffic in both directions, the conntrack
        entry will erase the [UNREPLIED] flag, and then reset it. The entry
        that tells us that the connection has not seen any traffic in both
        directions, will be replaced by the [ASSURED] flag, to be found close
        to the end of the entry. The [ASSURED] flag tells us that this
        connection is assured and that it will not be erased if we reach the
        maximum possible tracked connections. Thus, connections marked as
        [ASSURED] will not be erased, contrary to the non-assured connections
        (those not marked as [ASSURED]). How many connections that the
        connection tracking table can hold depends upon a variable that can be
        set through the ip-sysctl functions in recent kernels. The default
        value held by this entry varies heavily depending on how much memory
        you have. On 128 MB of RAM you will get 8192 possible entries, and at
        256 MB of RAM, you will get 16376 entries. You can read and set your
        settings through the /proc/sys/net/ipv4/ip_conntrack_max setting.







        share|improve this answer












        From all information you provided, I only guess that when you delete the rules, your Linux PC's ip address is not in iptables conntrack table anymore, so its traffic is dropped. The Windows PC's ip address may still appear in conntrack table, so its traffic is accepted.



        iptables process each rule, from top to bottom. So the order of rules you defined in iptables is very important. In your case, your chain INPUT look like:



        -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        
-A INPUT -s 127.0.0.0/255.0.0.0 -j ACCEPT
        
....
        
-A INPUT -m icmp --icmp-state 8 -j ACCEPT
        
-A INPUT -m icmp --icmp-state 0 -j ACCEPT


        So you can see, even if you delete ICMP rules, if the client connection is in conntrack table, it's still accepted by iptables.



        You can read about iptables conntrack table here:




        When a connection has seen traffic in both directions, the conntrack
        entry will erase the [UNREPLIED] flag, and then reset it. The entry
        that tells us that the connection has not seen any traffic in both
        directions, will be replaced by the [ASSURED] flag, to be found close
        to the end of the entry. The [ASSURED] flag tells us that this
        connection is assured and that it will not be erased if we reach the
        maximum possible tracked connections. Thus, connections marked as
        [ASSURED] will not be erased, contrary to the non-assured connections
        (those not marked as [ASSURED]). How many connections that the
        connection tracking table can hold depends upon a variable that can be
        set through the ip-sysctl functions in recent kernels. The default
        value held by this entry varies heavily depending on how much memory
        you have. On 128 MB of RAM you will get 8192 possible entries, and at
        256 MB of RAM, you will get 16376 entries. You can read and set your
        settings through the /proc/sys/net/ipv4/ip_conntrack_max setting.








        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Aug 15 '14 at 16:32









        cuonglm

        102k23201301




        102k23201301












        • Is there a way to change this behaviour? I have tried to ping from two Windows PC (one XP and one Windows 7) but both of them have this problem.
          – chesschi
          Aug 15 '14 at 16:36












        • I'm not sure. But I guess Windows may have some entry in registry to edit the time to keep connection alive.
          – cuonglm
          Aug 15 '14 at 16:39


















        • Is there a way to change this behaviour? I have tried to ping from two Windows PC (one XP and one Windows 7) but both of them have this problem.
          – chesschi
          Aug 15 '14 at 16:36












        • I'm not sure. But I guess Windows may have some entry in registry to edit the time to keep connection alive.
          – cuonglm
          Aug 15 '14 at 16:39
















        Is there a way to change this behaviour? I have tried to ping from two Windows PC (one XP and one Windows 7) but both of them have this problem.
        – chesschi
        Aug 15 '14 at 16:36






        Is there a way to change this behaviour? I have tried to ping from two Windows PC (one XP and one Windows 7) but both of them have this problem.
        – chesschi
        Aug 15 '14 at 16:36














        I'm not sure. But I guess Windows may have some entry in registry to edit the time to keep connection alive.
        – cuonglm
        Aug 15 '14 at 16:39




        I'm not sure. But I guess Windows may have some entry in registry to edit the time to keep connection alive.
        – cuonglm
        Aug 15 '14 at 16:39













        1














        iptables maintains some state about previous/current connections which can cause changes you issue to iptables to seem to have a delay in being applied. To see and manipulate the state, you first need to have conntrack installed:



        sudo apt-get conntrack


        With that, you can then issue



        sudo conntrack -L


        to see a list of previous/current connections in the state.



        You can clear this state completely by running



        sudo conntrack -F


        However, this will kill any currently open connections even if the current rules in effect would still allow them. You can be more fine-grained with what you can remove from the state table. Run



        sudo conntrack


        to get some basic help on the command. You typically are dealing with the "conntrack" table, which is what the command operates on if the table is not specified. For example, for my use case of turning on or off a NAT, I would run



        sudo conntrack -D --any-nat


        after issuing the appropriate iptables command to turn the nat off or on.






        share|improve this answer


























          1














          iptables maintains some state about previous/current connections which can cause changes you issue to iptables to seem to have a delay in being applied. To see and manipulate the state, you first need to have conntrack installed:



          sudo apt-get conntrack


          With that, you can then issue



          sudo conntrack -L


          to see a list of previous/current connections in the state.



          You can clear this state completely by running



          sudo conntrack -F


          However, this will kill any currently open connections even if the current rules in effect would still allow them. You can be more fine-grained with what you can remove from the state table. Run



          sudo conntrack


          to get some basic help on the command. You typically are dealing with the "conntrack" table, which is what the command operates on if the table is not specified. For example, for my use case of turning on or off a NAT, I would run



          sudo conntrack -D --any-nat


          after issuing the appropriate iptables command to turn the nat off or on.






          share|improve this answer
























            1












            1








            1






            iptables maintains some state about previous/current connections which can cause changes you issue to iptables to seem to have a delay in being applied. To see and manipulate the state, you first need to have conntrack installed:



            sudo apt-get conntrack


            With that, you can then issue



            sudo conntrack -L


            to see a list of previous/current connections in the state.



            You can clear this state completely by running



            sudo conntrack -F


            However, this will kill any currently open connections even if the current rules in effect would still allow them. You can be more fine-grained with what you can remove from the state table. Run



            sudo conntrack


            to get some basic help on the command. You typically are dealing with the "conntrack" table, which is what the command operates on if the table is not specified. For example, for my use case of turning on or off a NAT, I would run



            sudo conntrack -D --any-nat


            after issuing the appropriate iptables command to turn the nat off or on.






            share|improve this answer












            iptables maintains some state about previous/current connections which can cause changes you issue to iptables to seem to have a delay in being applied. To see and manipulate the state, you first need to have conntrack installed:



            sudo apt-get conntrack


            With that, you can then issue



            sudo conntrack -L


            to see a list of previous/current connections in the state.



            You can clear this state completely by running



            sudo conntrack -F


            However, this will kill any currently open connections even if the current rules in effect would still allow them. You can be more fine-grained with what you can remove from the state table. Run



            sudo conntrack


            to get some basic help on the command. You typically are dealing with the "conntrack" table, which is what the command operates on if the table is not specified. For example, for my use case of turning on or off a NAT, I would run



            sudo conntrack -D --any-nat


            after issuing the appropriate iptables command to turn the nat off or on.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Apr 11 '17 at 15:27









            aggieNick02

            1112




            1112























                0














                You can explicitly block the ICMP protocol by adding the rule at the beginning of your ruleset:



                iptables -I INPUT -p icmp -j DROP



                One thing to note, the RELATED,ESTABLISHED rule should be the last rule in your ruleset. Otherwise the ESTABLISHED state will match packets that are meant to match other rules eventually throwing off your counters and making debugging a nightmare, such as what you're currently experiencing






                share|improve this answer


























                  0














                  You can explicitly block the ICMP protocol by adding the rule at the beginning of your ruleset:



                  iptables -I INPUT -p icmp -j DROP



                  One thing to note, the RELATED,ESTABLISHED rule should be the last rule in your ruleset. Otherwise the ESTABLISHED state will match packets that are meant to match other rules eventually throwing off your counters and making debugging a nightmare, such as what you're currently experiencing






                  share|improve this answer
























                    0












                    0








                    0






                    You can explicitly block the ICMP protocol by adding the rule at the beginning of your ruleset:



                    iptables -I INPUT -p icmp -j DROP



                    One thing to note, the RELATED,ESTABLISHED rule should be the last rule in your ruleset. Otherwise the ESTABLISHED state will match packets that are meant to match other rules eventually throwing off your counters and making debugging a nightmare, such as what you're currently experiencing






                    share|improve this answer












                    You can explicitly block the ICMP protocol by adding the rule at the beginning of your ruleset:



                    iptables -I INPUT -p icmp -j DROP



                    One thing to note, the RELATED,ESTABLISHED rule should be the last rule in your ruleset. Otherwise the ESTABLISHED state will match packets that are meant to match other rules eventually throwing off your counters and making debugging a nightmare, such as what you're currently experiencing







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Aug 15 '14 at 18:31









                    Creek

                    3,69611229




                    3,69611229























                        0














                        this is normal behavior and what RELATED,ESTABLISHED is supposed to do



                        "the RELATED,ESTABLISHED rule should be the last rule in your rulese" is complete nonsense, you don't want hop through the whole chain for every answer package and without an explicit reject/drop before it won't change the behavior anyways but making processing every single package more expensive because it's evaluating every rule and the last one accepts it



                        have fun pass the 838 million packages through 27 rules in the forward chain for no good reason - a proper ruleset is ordered by the rules with most hits on top and a final reject/drop rule at the end



                        Chain FORWARD (policy DROP 0 packets, 0 bytes)
                        num pkts bytes target prot opt in out source destination
                        1 838M 852G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
                        2 35M 1912M INBOUND all -- wan lan 0.0.0.0/0 0.0.0.0/0 0






                        share|improve this answer


























                          0














                          this is normal behavior and what RELATED,ESTABLISHED is supposed to do



                          "the RELATED,ESTABLISHED rule should be the last rule in your rulese" is complete nonsense, you don't want hop through the whole chain for every answer package and without an explicit reject/drop before it won't change the behavior anyways but making processing every single package more expensive because it's evaluating every rule and the last one accepts it



                          have fun pass the 838 million packages through 27 rules in the forward chain for no good reason - a proper ruleset is ordered by the rules with most hits on top and a final reject/drop rule at the end



                          Chain FORWARD (policy DROP 0 packets, 0 bytes)
                          num pkts bytes target prot opt in out source destination
                          1 838M 852G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
                          2 35M 1912M INBOUND all -- wan lan 0.0.0.0/0 0.0.0.0/0 0






                          share|improve this answer
























                            0












                            0








                            0






                            this is normal behavior and what RELATED,ESTABLISHED is supposed to do



                            "the RELATED,ESTABLISHED rule should be the last rule in your rulese" is complete nonsense, you don't want hop through the whole chain for every answer package and without an explicit reject/drop before it won't change the behavior anyways but making processing every single package more expensive because it's evaluating every rule and the last one accepts it



                            have fun pass the 838 million packages through 27 rules in the forward chain for no good reason - a proper ruleset is ordered by the rules with most hits on top and a final reject/drop rule at the end



                            Chain FORWARD (policy DROP 0 packets, 0 bytes)
                            num pkts bytes target prot opt in out source destination
                            1 838M 852G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
                            2 35M 1912M INBOUND all -- wan lan 0.0.0.0/0 0.0.0.0/0 0






                            share|improve this answer












                            this is normal behavior and what RELATED,ESTABLISHED is supposed to do



                            "the RELATED,ESTABLISHED rule should be the last rule in your rulese" is complete nonsense, you don't want hop through the whole chain for every answer package and without an explicit reject/drop before it won't change the behavior anyways but making processing every single package more expensive because it's evaluating every rule and the last one accepts it



                            have fun pass the 838 million packages through 27 rules in the forward chain for no good reason - a proper ruleset is ordered by the rules with most hits on top and a final reject/drop rule at the end



                            Chain FORWARD (policy DROP 0 packets, 0 bytes)
                            num pkts bytes target prot opt in out source destination
                            1 838M 852G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
                            2 35M 1912M INBOUND all -- wan lan 0.0.0.0/0 0.0.0.0/0 0







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Dec 19 '18 at 11:45









                            Harald Reindl

                            1




                            1






























                                draft saved

                                draft discarded




















































                                Thanks for contributing an answer to Unix & Linux Stack Exchange!


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid



                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.


                                To learn more, see our tips on writing great answers.





                                Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                                Please pay close attention to the following guidance:


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid



                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.


                                To learn more, see our tips on writing great answers.




                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function () {
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f150430%2fdelay-when-iptables-icmp-rules-take-effect%23new-answer', 'question_page');
                                }
                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown







                                -

                                Popular posts from this blog

                                Morgemoulin

                                Image
                                Morgemoulin — miejscowość i gmina — Państwo   Francja Region Grand Est Departament Moza Okręg Verdun Kod INSEE 55357 Powierzchnia 6,82 km² Populacja  (1990) • liczba ludności 75 • gęstość 11 os./km² Kod pocztowy 55400 Położenie na mapie Francji Morgemoulin 49°14′N   5°35′E / 49,233333   5,583333 Portal Francja Morgemoulin – miejscowość i gmina we Francji, w regionie Grand Est, w departamencie Moza. Według danych na rok 1990 gminę zamieszkiwało 75 osób, a gęstość zaludnienia wynosiła 11 osób/km² (wśród 2335 gmin Lotaryngii Morgemoulin plasuje się na 970. miejscu pod względem liczby ludności, natomiast pod względem powierzchni na miejscu 848.). Bibliografia | Francuski urząd statystyczny ( fr. ) . p   •   d   •   e Gminy okręgu Verdun Abaucourt-Hautecourt • Aincreville • Ambly-sur-Meuse • Amel-sur-l'Étang • Ancemont • Arrancy-sur-Crusne • Aubréville • Autré...
                                Read more

                                Scott Moir

                                Image
                                Scott Moir Tessa Virtue i Scott Moir w 2016 r. Reprezentacja   Kanada Data i miejsce urodzenia 2 września 1987 London Wzrost 180 cm Konkurencja Pary taneczne Partner sportowy Tessa Virtue Trener Marie-France Dubreuil, Patrice Lauzon, Romain Haguenauer Poprzednio: Marina Zujewa, Oleg Epstein, Igor Szpilband, Johnny Johns, Carol Moir, Paul MacIntosh, Suzanne Killing Klub Montreal International School of Skating Poprzednio: Arctic Edge FSC Ilderton Skating Club Lokalizacja treningowa Montreal Poprzednio: Canton Kitchener Rekordy życiowe ISU przed sezonem 2018/2019 Nota łączna 206,07 Igrzyska Olimpijskie 2018 Taniec krótki 83,67 Igrzyska Olimpijskie 2018 Taniec dowolny 122,40 Igrzyska Olimpijskie 2018 Dorobek medalowy Reprezentacja   Kanada Igrzyska olimpijskie Złoto Vancouver 2010 pary taneczne Złoto Pjongczang 2018 pary taneczne Złoto Pjongczang 2018 drużynowo Srebro S...
                                Read more

                                Souastre

                                Image
                                Souastre — miejscowość i gmina — Herb Państwo   Francja Region Hauts-de-France Departament Pas-de-Calais Okręg Arras Kod INSEE 62800 Powierzchnia 7,18 km² Populacja  (1990) • liczba ludności 352 • gęstość 49 os./km² Kod pocztowy 62111 Położenie na mapie Francji Souastre 50°09′N   2°34′E / 50,150000   2,566667 Portal Francja Souastre – miejscowość i gmina we Francji, w regionie Hauts-de-France, w departamencie Pas-de-Calais. Według danych na rok 1990 gminę zamieszkiwały 352 osoby, a gęstość zaludnienia wynosiła 49 osób/km² (wśród 1549 gmin regionu Nord-Pas-de-Calais Souastre plasuje się na 887. miejscu pod względem liczby ludności, natomiast pod względem powierzchni na miejscu 507.). Bibliografia | Francuski urząd statystyczny ( fr. ) . p   •   d   •   e Gminy okręgu Arras Ablain-Saint-Nazaire Ablainzevelle Acheville Achicourt Achiet-le-Grand Achiet-le-Pe...
                                Read more