LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-20-2006, 11:39 PM   #1
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Rep: Reputation: 30
icmp,udp,igmp


From a security point of view what tipes of icmp packets i can accept with iptables and what type i can drop !I don't want my servers to be pingable by external clients , i want protections by floods , and i don't want applications have difficulties because no icmp allowed .
Code:
Valid ICMP Types:
any
echo-reply (pong)
destination-unreachable
   network-unreachable
   host-unreachable
   protocol-unreachable
   port-unreachable
   fragmentation-needed
   source-route-failed
   network-unknown
   host-unknown
   network-prohibited
   host-prohibited
   TOS-network-unreachable
   TOS-host-unreachable
   communication-prohibited
   host-precedence-violation
   precedence-cutoff
source-quench
redirect
   network-redirect
   host-redirect
   TOS-network-redirect
   TOS-host-redirect
echo-request (ping)
router-advertisement
router-solicitation
time-exceeded (ttl-exceeded)
   ttl-zero-during-transit
   ttl-zero-during-reassembly
parameter-problem
   ip-header-bad
   required-option-missing
timestamp-request
timestamp-reply
address-mask-request
address-mask-reply
This also for udp and igmp ... thanks !
 
Old 07-21-2006, 01:46 AM   #2
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
Do you have any port open to the public?

I mean there is no reason to "stealth" yourself by disallowing icmp while on the other side you have a well known open port.

If somebody wants to flood you, wether or not you accept these packets, your network line will be dead. If you accept them, your cpu will also go crazy. If you refuse them very early in the network stack, it will mitigate the problem.

If you use path mtu discovery (is used by default, see sysctl -a) you have to let in the "icmp unreachable need fragmentation" otherwise it won't work.

You can add this for basic network connectivity test:
icmp echo, icmp echo_reply aka ping

Icmp time exceeded can be important also and you should let them in.

Only ping will elicit an answer so that will show your presence but once again I repeat if you have one open port, you are not stealth anymore so there is no point.

You could ratelimit all the icmp that come in.
You should ratelimit all the icmp that go out (icmp echo) so that you are not used as a (D)DOS amplifier.

IGMP no need
UDP well depends if you have a server running on an UDP port.. rare and more risky (but used by DNS response)

Last edited by nx5000; 07-21-2006 at 01:49 AM.
 
Old 07-21-2006, 09:14 PM   #3
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Original Poster
Rep: Reputation: 30
Do you know a link where all this is explained ?????????
The point is being reachble just by browser on port 80 , just by client-ftp on 21 ecc.Icmp messages or echo replies give to the outside lots of infos.For sure i want to understand deeper these tecnics of intrusion by icmp (tools like hping3) but if i have a pc on line with no public services and i want to be stealthy , i switch it off !

Last edited by gabsik; 07-21-2006 at 09:22 PM.
 
Old 07-22-2006, 04:10 AM   #4
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
Always allow ICMP errors & replies. It can be done quickly and in a safe way with iptables:
Code:
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
If you want to be safe, then use the deny-by-default approach: specify the type of traffic you need or like and drop the rest. To be stealth, make sure you DROP these packets (in iptables' terms) rather than REJECT them. If you don't prefer to use deny-by-default, then consider these ICMP types:

On input:
+ Echo, Timestamp, Address Mask & Information requests
+ Redirect, Router advertisement & Router solicitation.
Block them all except Echo requests if you want to ping your machine from the outside.

On output:
+ Destination Unreachable: They are sent in response to closed UDP (& TCP too) port requests.
+ Time Exceeded: Used by traceroute to know it reached the target.


There's more information at:
+ man 7 icmp
+ http://www.frozentux.net/
+ the various ICMP RFC's out there. See http://www.faqs.org/rfcs/rfc-index.html and http://www.networksorcery.com/enp/protocol/icmp.htm
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
UDP: Short Packets: and UDP bad checksum: entries in dmesg minutes2memories Linux - Networking 2 02-26-2006 08:28 PM
what is IGMP protocol about? I thought only ICMP, TCP, UDP servnov Linux - General 3 12-25-2004 08:00 PM
How to receive UDP and ICMP packets, by one UDP socket(PMTUD) myself_rajat Linux - Networking 0 05-28-2004 06:43 AM
UDP socket and ICMP messages myself_rajat Linux - Networking 0 05-25-2004 09:49 AM
Terms re icmp, udp, etc. satimis Linux - Networking 2 09-23-2003 12:22 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:33 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration