icmp,udp,igmp

gabsik · 07-20-2006, 10:39 PM

From a security point of view what tipes of icmp packets i can accept with iptables and what type i can drop !I don't want my servers to be pingable by external clients , i want protections by floods , and i don't want applications have difficulties because no icmp allowed .

Code:

Valid ICMP Types:
any
echo-reply (pong)
destination-unreachable
   network-unreachable
   host-unreachable
   protocol-unreachable
   port-unreachable
   fragmentation-needed
   source-route-failed
   network-unknown
   host-unknown
   network-prohibited
   host-prohibited
   TOS-network-unreachable
   TOS-host-unreachable
   communication-prohibited
   host-precedence-violation
   precedence-cutoff
source-quench
redirect
   network-redirect
   host-redirect
   TOS-network-redirect
   TOS-host-redirect
echo-request (ping)
router-advertisement
router-solicitation
time-exceeded (ttl-exceeded)
   ttl-zero-during-transit
   ttl-zero-during-reassembly
parameter-problem
   ip-header-bad
   required-option-missing
timestamp-request
timestamp-reply
address-mask-request
address-mask-reply

This also for udp and igmp ... thanks !

nx5000 · 07-21-2006, 12:46 AM

Do you have any port open to the public?

I mean there is no reason to "stealth" yourself by disallowing icmp while on the other side you have a well known open port.

If somebody wants to flood you, wether or not you accept these packets, your network line will be dead. If you accept them, your cpu will also go crazy. If you refuse them very early in the network stack, it will mitigate the problem.

If you use path mtu discovery (is used by default, see sysctl -a) you have to let in the "icmp unreachable need fragmentation" otherwise it won't work.

You can add this for basic network connectivity test:
icmp echo, icmp echo_reply aka ping

Icmp time exceeded can be important also and you should let them in.

Only ping will elicit an answer so that will show your presence but once again I repeat if you have one open port, you are not stealth anymore so there is no point.

You could ratelimit all the icmp that come in.
You should ratelimit all the icmp that go out (icmp echo) so that you are not used as a (D)DOS amplifier.

IGMP no need
UDP well depends if you have a server running on an UDP port.. rare and more risky (but used by DNS response)

gabsik · 07-21-2006, 08:14 PM

Do you know a link where all this is explained ?????????
The point is being reachble just by browser on port 80 , just by client-ftp on 21 ecc.Icmp messages or echo replies give to the outside lots of infos.For sure i want to understand deeper these tecnics of intrusion by icmp (tools like hping3) but if i have a pc on line with no public services and i want to be stealthy , i switch it off !

primo · 07-22-2006, 03:10 AM

Always allow ICMP errors & replies. It can be done quickly and in a safe way with iptables:

Code:

iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

If you want to be safe, then use the deny-by-default approach: specify the type of traffic you need or like and drop the rest. To be stealth, make sure you DROP these packets (in iptables' terms) rather than REJECT them. If you don't prefer to use deny-by-default, then consider these ICMP types:

On input:
+ Echo, Timestamp, Address Mask & Information requests
+ Redirect, Router advertisement & Router solicitation.
Block them all except Echo requests if you want to ping your machine from the outside.

On output:
+ Destination Unreachable: They are sent in response to closed UDP (& TCP too) port requests.
+ Time Exceeded: Used by traceroute to know it reached the target.

There's more information at:
+ man 7 icmp
+ http://www.frozentux.net/
+ the various ICMP RFC's out there. See http://www.faqs.org/rfcs/rfc-index.html and http://www.networksorcery.com/enp/protocol/icmp.htm