Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hi people!
for weeks went i try to run my netwatch to monitor my internet connection i always see i088235073.rivernet.com.au trying to send me an icmp echo.
how do i stop this bogus site?? i need help....thks!
$ host i088235073.rivernet.com.au
i088235073.rivernet.com.au has address 203.88.235.73
anyway, the most simple thing to stop those ICMP packets is to block all ICMP traffic
to your pc.
So add some rules to iptables to block ever ICMP that comes to your pc but don't block
the ones you requested
Code:
# this allows outgoing pings
/sbin/iptables -A OUTPUT -p icmp -o eth0 -j ACCEPT
# this makes that ICMP requests to your pc will be dropped, unless you've
# requested them (echo-reply || destination-unreachable || time-exceeded)
/sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -s 0/0 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type destination-unreachable -s 0/0 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type time-exceeded -s 0/0 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -i eth0 -j DROP
Feel free to change values, you might not be using eth0 and the -s 0/0 may be useless
too.
/sbin/iptables -A OUTPUT -p icmp -o eth0 -m state --state NEW -j ACCEPT
This will only allow NEW pings to get out, but nothing that is related with incoming connections, i.e. RELATED, ESTABLISHED... I think this might stop echo replies even if you accepted the incoming echo request. Or is this unnecessary or even complete crap?
IMHO it's useless, I'm only allowing ICMP packets that answer my outgoing ICMP's.
So I don't see how an echo-reply or destination-unreachable or time-exceeded ICMP
can trigger a new outgoing one locally.
But... I could be wrong.
What about states to make it even safer?
ICMP doesn't maintain state. It's not using "conversations" like TCP does. ICMP is a "message" protocol: it "warns" when networks, hosts or ports are not (made) accessable. For instance if you connect to a restricted TCP port, you get a TCP message back. For the same UDP port you get an ICMP message back. Not all ICMP types are necessary or should be allowed (redirects or broadcast responses for instance): there's /proc/sys/net settings for a lot of ICMP stuff like for example ignoring echoes. To harden the rules Iceman47 gave you, you could add in/outbound ratelimits and deny ICMP types/codes you don't want/need.
Aha, I didn't know that. But... What is an echo-reply then? Or do you mean that the echo-reply doesn't contain any information about being a "related" packet to the incoming echo-request? And that TCP packets have for instance the ACK bit set, to say "hey, I belong to an established connection"?
Ah, sorry, I don't mean to hijack the thread, I'm just curious :]
For example: you send a ping out, server gets the packet and returns an ICMP with echo-reply set, so you know the server's up.
As your box requested the ICMP, your box knows when an echo-reply returns it's his.
There's no conversation like TCP in UDP, like unSpawn said.
echo-reply doesn't contain any information about being a "related"
Exactly.
By the way... I would like to express my dubts about blocking all ICMP stuff.
This is actually too restrictive, in my opinion. Limiting the amount of them over a range of time is enough. Don't forget ICMP data is a part of networking infrastructure. I would suggest people stop saying "block all ICMPs".
I don't say "block all ICMP", I say allow those that you want, drop the rest
Sorry iceman, i didn't mean that. I actually quite nervous today and I misunderstood a little.
My "I would suggest people stop saying "block all ICMPs". " actually was a general comment and not targeted at you. I meant I am bored of people believing to be cool and suggesting to block ICMPs.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.