Description
Filtering ICMP on Linux!
Someone say that it’s absolutely necessary to block all ICMP, and bye-bye
all needed commands, like traceroute
, ping
…
Others replies:
yes, but… it’s still convenient to use such commands except that…
The obvious purpose of ICMP is to report error messages, status informations, related to the IP protocol (including Internet), to the delivery of the IP packets.
This interesting goal has its flaws:
- map your entire network,
- seek to attack your network, through some well-known attacks — such as DOS ; see Smurf, the famous Ping of the Death, … —
Few attacks allow to attack others network protocols, such SlowLoris againt the TCP protocol, and the HTTP service…
Frozen?standard reaction…
In this article, we will learn how to handle ICMP correctly, taking into account the recommendations made by recognized organizations, such as the IETF, the IANA, through different RFCs, which will all be named.
Manage ICMP
Refuse
The following codes are known to be deprecated, dangerous to use, and therefore not to be used:
- 3/6 - Destination Network Unknown
- 3/8 - Source Host Isolated
- 4/0 - Source Quench
- 15/0 - Information Request Message
- 16/0 - Information Reply Message
ATTENTION: IANA, about the depreciation of Source Quench, recommends to log such packets and to remove them without warnings (DROP)
See: reference
Let’s not even hesitate: the corresponding messages must ABSOLUTELY be refused!
Egual, IANA considers the following codes to be deprecated and to be filtered — all discretion is left to the administrators to choose his filtering mode. See: reference
-
6/0 - Alternate Host Address
-
15 - Information Request
-
16 - Information Reply
-
17 - Address Mask Request
-
18 - Address Mask Reply
-
30 - Traceroute
-
31 - Datagram Conversion Error
-
32 - Mobile Host Redirect
-
33 - IPv6 Where-Are-You
-
34 - IPv6 I-Am-Here
-
35 - Mobile Registration Request
-
36 - Mobile Registration Reply
-
37 - Domain Name Request
-
38 - Domain Name Reply
-
39 - SKIP
It’s your choice: will you destroy them in paranoid mode‽
Extermination, extermination, extermination…
traceroute
is able to work on UDP:53, TCP:80… and even imitate ICMP:8/0!Limit
The recommendations are to limit, in input AND output:
- 0/0 - Echo Reply Message - (the famous Ping reply: THE Pong, what else :p)
- all type 3 - Destination Unreachable -
- except a slightly special treatment for 3/7 - Destination Host Unknown - just to limit in ouput and ignore in input.
- all 5 - Redirect
- 8/0 - Echo Message - (the famous Ping)
- 9/0 - Router Advertisement Message
- 10/0 - Router Solicitation Message
- all 11 - Time Exceeded -
- Useful for
traceroute
, as well as the 30/0 code.
- Useful for
- all 12 - Parameter Problem
- 13/0 - Timestamp Message
- 14/0 - Timestamp Reply Message
- 17/0 - Address Mask Request
- 18/0 - Address Mask Reply
As instance, in the context of Linux, use the Iptables match limit
option…
Examples
Paranoid ICMP
In paranoid mode, you can open:
- in output: 8/0,
- and in input, the relative 0/0 code — so you can ping yourself…
- and, prevent others doing same!
- and finally, drop all others code
iptables -A INPUT -p icmp --icmp-type echo-reply -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -m limit --limit 3/s --limit-burst 7 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW,RELATED,ESTABLISHED,UNTRACKED -m limit --limit 3/s --limit-burst 7 -j ACCEPT
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j DROP
Limit ICMP
Here is an example, based on the understanding of the IETF recommendations,
of ICMP limited rules, and reject all others codes with the
icmp-host-prohibited
messages.
/sbin/iptables -A INPUT -i ethX -p icmp -m limit --limit 3/s --limit-burst 7 -j icmp4in
/sbin/iptables -A icmp4in -p icmp -m conntrack --ctstate INVALID -j DROP
/sbin/iptables -A icmp4in -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT -m comment --comment "ICMP Echo reply"
/sbin/iptables -A icmp4in -p icmp -m icmp --icmp-type 3/0 -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT -m comment --comment "ICMP Destination Net Unreachable"
/sbin/iptables -A icmp4in -p icmp -m icmp --icmp-type 3/1 -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT -m comment --comment "ICMP Destination Host Unreachable"
/sbin/iptables -A icmp4in -p icmp -m icmp --icmp-type 3/3 -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT -m comment --comment "ICMP Destination Port Unreachable"
/sbin/iptables -A icmp4in -p icmp -m icmp --icmp-type 3/4 -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT -m comment --comment "ICMP PathMTU Discovery"
/sbin/iptables -A icmp4in -p icmp -m icmp --icmp-type 3/6 -j DROP
/sbin/iptables -A icmp4in -p icmp -m icmp --icmp-type 3/8 -j DROP
/sbin/iptables -A icmp4in -p icmp -m icmp --icmp-type 4 -j DROP
/sbin/iptables -A icmp4in -p icmp -m icmp --icmp-type 5 -m conntrack --ctstate NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT -m comment --comment "ICMP Redirect mssg"
/sbin/iptables -A icmp4in -p icmp -m icmp --icmp-type 8/0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT -m comment --comment "ICMP Echo mssg"
/sbin/iptables -A icmp4in -p icmp -m icmp --icmp-type 9/0 -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT -m comment --comment "ICMP Router Advertisement Message"
/sbin/iptables -A icmp4in -p icmp -m icmp --icmp-type 10/0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT -m comment --comment "ICMP Router Solicitation Message"
/sbin/iptables -A icmp4in -p icmp -m icmp --icmp-type 11 -m conntrack --ctstate NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT -m comment --comment "ICMP Time exceeded"
/sbin/iptables -A icmp4in -p icmp -m icmp --icmp-type 12 -m conntrack --ctstate NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT -m comment --comment "ICMP Param pb"
/sbin/iptables -A icmp4in -p icmp -m icmp --icmp-type 13/0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT -m comment --comment "ICMP Timestamp Message"
/sbin/iptables -A icmp4in -p icmp -m icmp --icmp-type 14/0 -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT -m comment --comment "ICMP Timestamp Reply Message"
/sbin/iptables -A icmp4in -p icmp -m icmp --icmp-type 15 -j DROP
/sbin/iptables -A icmp4in -p icmp -m icmp --icmp-type 16 -j DROP
/sbin/iptables -A icmp4in -p icmp -m icmp --icmp-type 17/0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT -m comment --comment "ICMP Address Mask Request"
/sbin/iptables -A icmp4in -p icmp -m icmp --icmp-type 18/0 -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT -m comment --comment "ICMP Address Mask Reply"
/sbin/iptables -A icmp4in -p icmp -m icmp --icmp-type 30 -m conntrack --ctstate NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT -m comment --comment "ICMP Traceroute"
# REJECT Others
/sbin/iptables -A icmp4in -p icmp -j REJECT --reject-with icmp-host-prohibited
/sbin/iptables -A OUTPUT -o ethX -p icmp -m limit --limit 3/s --limit-burst 7 -j icmp4out
/sbin/iptables -A icmp4out -p icmp -m conntrack --ctstate INVALID -j DROP
/sbin/iptables -A icmp4out -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
/sbin/iptables -A icmp4out -p icmp -m icmp --icmp-type 3/0 -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
/sbin/iptables -A icmp4out -p icmp -m icmp --icmp-type 3/1 -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
/sbin/iptables -A icmp4out -p icmp -m icmp --icmp-type 3/3 -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
/sbin/iptables -A icmp4out -p icmp -m icmp --icmp-type 3/4 -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
/sbin/iptables -A icmp4out -p icmp -m icmp --icmp-type 3/6 -j DROP
/sbin/iptables -A icmp4out -p icmp -m icmp --icmp-type 3/7 -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
/sbin/iptables -A icmp4out -p icmp -m icmp --icmp-type 3/8 -j DROP
/sbin/iptables -A icmp4out -p icmp -m icmp --icmp-type 4/0 -j DROP
/sbin/iptables -A icmp4out -p icmp -m icmp --icmp-type 5 -m conntrack --ctstate NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
/sbin/iptables -A icmp4out -p icmp -m icmp --icmp-type 8/0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
/sbin/iptables -A icmp4out -p icmp -m icmp --icmp-type 9/0 -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
/sbin/iptables -A icmp4out -p icmp -m icmp --icmp-type 10/0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
/sbin/iptables -A icmp4out -p icmp -m icmp --icmp-type 11 -m conntrack --ctstate NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
/sbin/iptables -A icmp4out -p icmp -m icmp --icmp-type 12 -m conntrack --ctstate NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
/sbin/iptables -A icmp4out -p icmp -m icmp --icmp-type 13/0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
/sbin/iptables -A icmp4out -p icmp -m icmp --icmp-type 14/0 -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
/sbin/iptables -A icmp4out -p icmp -m icmp --icmp-type 15 -j DROP
/sbin/iptables -A icmp4out -p icmp -m icmp --icmp-type 16 -j DROP
/sbin/iptables -A icmp4out -p icmp -m icmp --icmp-type 17/0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
/sbin/iptables -A icmp4out -p icmp -m icmp --icmp-type 18/0 -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
/sbin/iptables -A icmp4out -p icmp -m icmp --icmp-type 30 -m conntrack --ctstate NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
/sbin/iptables -A icmp4out -p icmp -j REJECT --reject-with icmp-host-prohibited
Documentation
IETF
IETF is a well-known recognized organization that writes many technical documents whose purpose is to improve the technicality, the security to use the network protocols.
Some existing documents insist on filtering ICMP, even ICMPv6, as:
These documents are all interesting, some are old, others more recent, and have the goal to think seriously about the security, to set up around ICMP.
The “ICMP filtering” draft paper discuss about IPv4 and IPv6 protocols, and explains what attacks are possible, give useful recommendations, which range from refuse some packets to limit others.
Clearly, certain messages codes are absolutely to be block, to refuse, like ICMP 4/0, alias “Source Quench”, wich is explicetely deprecated, not to be used anymore… but it’s not the only one!