Bug 125377 - can't generate icmp rules for iptables
can't generate icmp rules for iptables
Product: Fedora
Classification: Fedora
Component: iptables (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2004-06-05 09:52 EDT by Lynda Sweetman
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-06-07 05:36:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Lynda Sweetman 2004-06-05 09:52:37 EDT
Description of problem:When I attempt to add an INPUT rule in 
iptables with '-m icmp --icmp-type all' I get "iptables: Invalid 
argument". I try to load ipt_icmp through /etc/sysconfig/iptables-
config. When my computer boots, it returns a FAILED when the iptables 
modules are being loaded. When I manually try loading each one that 
is listed in /etc/sysconfig/iptables-config, only the ipt_icmp fails. 
There is a /lib/iptables/libipt_icmp.so, but no /lib/modules/2.6.5-
1.358/kernel/net/ipv4/netfilter/ipt_icmp.ko. Is this why I get a 
FAILED? I have iptables set up on a minimal install, on a computer 
that is a bridge/router/firewall for a cable modem internet 
connection. I have 4 NICs enslaved in a bridge, all with one IP 
address, which is the LAN's gateway. The bridge works fine, and I can 
hand out IP addresses thru dhcpd okay. I can also ping the bridge 
interface alright from the firewall, but I cannot ping it from the 
computers attached, nor ping any other computer also connected to the 
bridge. I can ping internet addresses okay (which are masqueraded and 
forwarded), but nothing locally. If I allow all activity on the LAN 
side (which I have done), do I need the icmp module loaded to be able 
to ping all LAN interfaces? I also noticed that there are no ftp or 
ftp_conntrack modules listed in /lib/modules/2.6.5-
1.358/kernel/net/ipv4/netfilter/. Is this intentional?

Version-Release number of selected component (if applicable):iptables-

How reproducible:Every time

Steps to Reproduce:
1.Entered 'ipt_icmp' in the correct format after "IPTABLES MODULES" 
in /etc/sysconfig/iptables-config; saved and exited.
2.Restarted the iptables service or rebooted.
Actual results:Loading additional iptables modules: (shows names of 
modules) [FAILED]
iptables shows 'invalid argument' for adding rules using the icmp 

Expected results:The ipt_icmp module should have loaded, and adding 
icmp rules should not return error messages.

Additional info:I am running bridge-utils-0.9.6-3.1. Is this a bridge 
or an iptables problem? It seems like other people can ping their 
bridges and through them. Or do I need ebtables to do just that?
Comment 1 Lynda Sweetman 2004-06-06 09:30:46 EDT
Whoops. There are ftp modules, what was I thinking?
Comment 2 Thomas Woerner 2004-06-07 05:36:59 EDT
There is no kernel module ipt_icmp and no icmp-type "all".
You have to use "-p icmp -m icmp --icmp-type any".

"iptables -p icmp -h" prints all icmp type names.

Note You need to log in before you can comment on or make changes to this bug.