Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-20-2006, 11:39 PM
|
#1
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Rep:
|
icmp,udp,igmp
From a security point of view what tipes of icmp packets i can accept with iptables and what type i can drop !I don't want my servers to be pingable by external clients , i want protections by floods , and i don't want applications have difficulties because no icmp allowed .
Code:
Valid ICMP Types:
any
echo-reply (pong)
destination-unreachable
network-unreachable
host-unreachable
protocol-unreachable
port-unreachable
fragmentation-needed
source-route-failed
network-unknown
host-unknown
network-prohibited
host-prohibited
TOS-network-unreachable
TOS-host-unreachable
communication-prohibited
host-precedence-violation
precedence-cutoff
source-quench
redirect
network-redirect
host-redirect
TOS-network-redirect
TOS-host-redirect
echo-request (ping)
router-advertisement
router-solicitation
time-exceeded (ttl-exceeded)
ttl-zero-during-transit
ttl-zero-during-reassembly
parameter-problem
ip-header-bad
required-option-missing
timestamp-request
timestamp-reply
address-mask-request
address-mask-reply
This also for udp and igmp ... thanks !
|
|
|
07-21-2006, 01:46 AM
|
#2
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
Do you have any port open to the public?
I mean there is no reason to "stealth" yourself by disallowing icmp while on the other side you have a well known open port.
If somebody wants to flood you, wether or not you accept these packets, your network line will be dead. If you accept them, your cpu will also go crazy. If you refuse them very early in the network stack, it will mitigate the problem.
If you use path mtu discovery (is used by default, see sysctl -a) you have to let in the "icmp unreachable need fragmentation" otherwise it won't work.
You can add this for basic network connectivity test:
icmp echo, icmp echo_reply aka ping
Icmp time exceeded can be important also and you should let them in.
Only ping will elicit an answer so that will show your presence but once again I repeat if you have one open port, you are not stealth anymore so there is no point.
You could ratelimit all the icmp that come in.
You should ratelimit all the icmp that go out (icmp echo) so that you are not used as a (D)DOS amplifier.
IGMP no need
UDP well depends if you have a server running on an UDP port.. rare and more risky (but used by DNS response)
Last edited by nx5000; 07-21-2006 at 01:49 AM.
|
|
|
07-21-2006, 09:14 PM
|
#3
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Original Poster
Rep:
|
Do you know a link where all this is explained ?????????
The point is being reachble just by browser on port 80 , just by client-ftp on 21 ecc.Icmp messages or echo replies give to the outside lots of infos.For sure i want to understand deeper these tecnics of intrusion by icmp (tools like hping3) but if i have a pc on line with no public services and i want to be stealthy , i switch it off !
Last edited by gabsik; 07-21-2006 at 09:22 PM.
|
|
|
07-22-2006, 04:10 AM
|
#4
|
Member
Registered: Jun 2005
Posts: 542
Rep:
|
Always allow ICMP errors & replies. It can be done quickly and in a safe way with iptables:
Code:
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
If you want to be safe, then use the deny-by-default approach: specify the type of traffic you need or like and drop the rest. To be stealth, make sure you DROP these packets (in iptables' terms) rather than REJECT them. If you don't prefer to use deny-by-default, then consider these ICMP types:
On input:
+ Echo, Timestamp, Address Mask & Information requests
+ Redirect, Router advertisement & Router solicitation.
Block them all except Echo requests if you want to ping your machine from the outside.
On output:
+ Destination Unreachable: They are sent in response to closed UDP (& TCP too) port requests.
+ Time Exceeded: Used by traceroute to know it reached the target.
There's more information at:
+ man 7 icmp
+ http://www.frozentux.net/
+ the various ICMP RFC's out there. See http://www.faqs.org/rfcs/rfc-index.html and http://www.networksorcery.com/enp/protocol/icmp.htm
|
|
|
All times are GMT -5. The time now is 12:33 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|