Now let us try adding a rule. As an example, let us imagine we want to block ICMP packets to disallow "pinging" of our Linux box.
You may do that to avoid various Denial of Service attacks that could be launched against your system. Block ICMP with a command like the following:
# ipchains -A input -p icmp -j DENY
This specifies that we are adding a rule to the input chain. It will match any ICMP packet and will drop it rather than allowing it through. Now if you are using the ping command against your Linux box, you should receive no response. Type the ipchains -L command again, and you will see something like this:
You can see your new rule listed. This rule will block all ICMP packets entering your system, regardless of which computer sent those packets. If your Linux system is acting as a router, it will also block ICMP packets that are being forwarded from the Internet to your network, or vice versa. People on the Internet will be unable to ping anything on your network. Likewise, you will be unable to ping anything on the Internet. Perhaps that is not what you want. Let us assume then that you wish to block pinging of systems on your network by people on the Internet, but allow pinging of the router and allow the router to ping hosts on the Internet. First, we should flush the contents of the input chains using the -F parameter; then we can add our new rule.
Now we can ping the Linux system and the Linux system can ping other boxes, but ping requests will not be passed through the Linux system. If you wish, use the ipchains -L command to verify that the rule has now been added to the forward chain rather than the input chain. You may also wish to block the telnet protocol when coming from the Internet. For this example, let us assume that our Linux router is connected to the Internet via a dialup connection called ppp0 and is connected to our internal LAN via an Ethernet connection called eth0. In that case, you could block telnet with a command like the following:
This rule basically says that any TCP packet with a destination port of 23 (the telnet port as specified in
/etc/services) that is arriving on the ppp0 interface should be dropped. This does not prevent you from
telneting to your Linux box from your internal network, but it does block telnet access from the Internet.