Red Hat Bugzilla – Bug 125377
can't generate icmp rules for iptables
Last modified: 2007-11-30 17:10:44 EST
Description of problem:When I attempt to add an INPUT rule in
iptables with '-m icmp --icmp-type all' I get "iptables: Invalid
argument". I try to load ipt_icmp through /etc/sysconfig/iptables-
config. When my computer boots, it returns a FAILED when the iptables
modules are being loaded. When I manually try loading each one that
is listed in /etc/sysconfig/iptables-config, only the ipt_icmp fails.
There is a /lib/iptables/libipt_icmp.so, but no /lib/modules/2.6.5-
1.358/kernel/net/ipv4/netfilter/ipt_icmp.ko. Is this why I get a
FAILED? I have iptables set up on a minimal install, on a computer
that is a bridge/router/firewall for a cable modem internet
connection. I have 4 NICs enslaved in a bridge, all with one IP
address, which is the LAN's gateway. The bridge works fine, and I can
hand out IP addresses thru dhcpd okay. I can also ping the bridge
interface alright from the firewall, but I cannot ping it from the
computers attached, nor ping any other computer also connected to the
bridge. I can ping internet addresses okay (which are masqueraded and
forwarded), but nothing locally. If I allow all activity on the LAN
side (which I have done), do I need the icmp module loaded to be able
to ping all LAN interfaces? I also noticed that there are no ftp or
ftp_conntrack modules listed in /lib/modules/2.6.5-
1.358/kernel/net/ipv4/netfilter/. Is this intentional?
Version-Release number of selected component (if applicable):iptables-
How reproducible:Every time
Steps to Reproduce:
1.Entered 'ipt_icmp' in the correct format after "IPTABLES MODULES"
in /etc/sysconfig/iptables-config; saved and exited.
2.Restarted the iptables service or rebooted.
Actual results:Loading additional iptables modules: (shows names of
iptables shows 'invalid argument' for adding rules using the icmp
Expected results:The ipt_icmp module should have loaded, and adding
icmp rules should not return error messages.
Additional info:I am running bridge-utils-0.9.6-3.1. Is this a bridge
or an iptables problem? It seems like other people can ping their
bridges and through them. Or do I need ebtables to do just that?
Whoops. There are ftp modules, what was I thinking?
There is no kernel module ipt_icmp and no icmp-type "all".
You have to use "-p icmp -m icmp --icmp-type any".
"iptables -p icmp -h" prints all icmp type names.