1

iptables | Types of ICMP: which ones are (potentially) harmful?

view story
linux-howto

http://serverfault.com – I read that certain types¹ of ICMP packets can be harmful. Questions: Which ones and why? How should I layout an iptables ruleset to handle each type of ICMP packet? Should I rate-limit any of these types of ICMP packets? And how? [¹] The types I read about: Redirect (5), Timestamp (13) and Address Mask Request (17). Please don't consider just these on your answer. More info It's a web server on a VPS with Ubuntu Server. The goal I'm trying to make the system safer, mitigate the risk of some D/DoS attacks and general abuse. Related Is my linux firewall secure? Why not block ICMP? (HowTos)

grtyyu's picture
Submitted by grtyyu on 12/12/2011

Stories similar to iptables | Types of ICMP: which ones are (potentially) harmful?

How to stop a ICMP attack? 33 weeks 18 hours ago

We are under a heavy icmp flood attack. Tcpdump shows the result below. Altough we have blocked ICMP with iptables tcpdump still prints icmp packets. I've also attached iptables configuration and "top" result.

In iptables, I added the rules as below to limit the incoming icmp request packet rate. But it didn't work. Because after the 1st incoming icmp request was accepted by the 1st rule and my host replied, all the following icmp request will accepted by the 2nd rule, which will accept the incoming icmp request as ESTABLISHED state packet.

How can I set ICMP rate-limiting in a Cisco router? Here on the manual page they only talk about ICMP unreachable messages:

ip icmp rate-limit unreachable [df] [ms] [log [packets] [interval-ms]]

Is there anything that also includes other ICMP message types? For instance, what if I want to set a limit on the number of time-exceeded messages sent?

Using iptables I am trying to reject packets (I want to return an ICMP message).

iptables -A FORWARD [...] -j REJECT --reject-with icmp-port-unreach

The packets are dropped but using tcpdump I can see no ICMP. What gives ? Am I doing something wrong ?

I wanna block ping from outside the company to my server, so I have the following iptables rules:

-A INPUT -p icmp --icmp-type 8 -s ! 192.168.0.0/16 -j DROP -A OUTPUT -p icmp --icmp-type 0 -d ! 192.168.0.0/16 -j DROP

However, the above rules aren't working as expected, I can still ping the server from both inside and outside the company. What's wrong with that?!

I am setuping my server and I must disable the ping requests for everyone except me and a list of hosts (aaa.bbb.ccc.ddd). I am using the tool ufw, on ubuntu server, I read that I have to comment those lines: ok icmp codes

-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --

iptables matching syntax 15 weeks 2 days ago

For the following iptables rule:

iptables -A INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT

I am not sure what the point of "-m" is given that "-p" is already present. Does it serve any purpose in this case?

CentOS 4.x

I've got several old CentOS 4.x systems and have configured iptables to allow ICMP traffic.

filter packet 1 year 3 weeks ago

Exercise: Protection of WEB and DNS servers using the context-free rules for packet filtering: - Protect your WEB-server, so that would be for him can be accessed by browsers, and could go to dns. - Protect your primary DNS-server so that it could be to contact clients and secondary servers. - Allow ICMP ping to / from your site (s). - the rest is declined.

My solution that:

Code: