iptables finetuning, blocking icmp?

[GiLuX]

im running a simple web and mail server on fc3.

right now i'm allowing all icmp traffic to pass through iptables but i wondered what icmp traffic i might block to fine tune the firewall some more.

for this server to peform its duty properly, what icmp traffic should be accepted at least and what can safely be dropped at most?

i'm not to familiar with icmp so any advice and or examples would be welcome.

[rae]

go into your command line and type 'info icmp' then after that 'man icmp'. That will give you more than enought info to start.

rae

[GiLuX]

sorry,
maybe i was a little to harsh here...

my apologies for this, i don't know what had gotten into me...

[fsck]

Quote:

Originally Posted by GiLuX

ehr...
man pages are usually just a short description(if you are lucky) and a brief explenation on switches...
especially this man page doesnt give you really anything to go on.
i can't see how it could even remotely answer my question.

see my sig.

Quote:

so, let me rephrase,
what implication are to be expected from blocking icmp altogether or leaving it totally open because i cant find it in the man page.

You know your setup better than us, so you should know if you have any dependancy on ICMP traffic.

Quote:

sure i could take an extensive course on icmp that will answer my question in 2 months or so when we get to the part i'm concerned about right now...

If it takes 2 months to learn all there is to know about ICMP, then you have bigger problems than just running an efficient server.

Quote:

(snip)
my guess is that you just gave me this answer because you don't know yourself and telling someone to rtfm is a lot easier.

(sorry for flaming, i just hope you get my point)

And I hope you don't expect anyone to give you a sensible answer if you treat us like *****, my friend. Go crawl back under your rock. You'll get no help from me.

[GiLuX]

sorry...
overreacted...

[bubudiu]

Quote:

Originally Posted by GiLuX

im running a simple web and mail server on fc3.

right now i'm allowing all icmp traffic to pass through iptables but i wondered what icmp traffic i might block to fine tune the firewall some more.

for this server to peform its duty properly, what icmp traffic should be accepted at least and what can safely be dropped at most?

i'm not to familiar with icmp so any advice and or examples would be welcome.

ICMP from http://en.wikipedia.org/wiki/ICMP :-

Quote:

Originally Posted by wikipedia

The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet protocol suite. It is chiefly used by networked computers' operating systems to send error messages -- indicating, for instance, that a requested service is not available or that a host or router could not be reached.

ICMP differs in purpose from TCP and UDP in that it is usually not used directly by user network applications. One exception is the ping tool, which sends ICMP Echo Request messages (and receives Echo Response messages) to determine whether a host is reachable and how long packets take to get to and from that host.

=> You can configure your firewall to allow/disallow icmp stuff like echos and pings(as you can see there are types of ICMP traffic).

=> In your case i'd be more concerned with spamming/bruteforce attempts on sendmail (or whatever server you have) from known troublemakers in which case iptables is extremely useful in dropping connections.

[alphonsebrown]

# Do not respond to directed broadcasts.
$SYSCTL -q -w net.ipv4.icmp_echo_ignore_broadcasts=1

# Enable ICMP bad error message protection
$SYSCTL -q -w net.ipv4.icmp_ignore_bogus_error_responses=1

# Disable ICMP redirect acceptance
$SYSCTL -q -w net.ipv4.conf.all.accept_redirects=0

# Disable response to PINGs
$SYSCTL -q -w net.ipv4.icmp_echo_ignore_all=1
# Enable response to PINGs
#$SYSCTL -q -w net.ipv4.icmp_echo_ignore_all=0

[GiLuX]

tnx 4 the replies.

i guess i assumed that this could only be controlled through iptables.

so from what i understand now is either you set a parameter directly in /proc/sys/net/ipv4/
or
use sysctl
or
do it with iptables rules

does it really matter which of the above you use?

sorry for overreacting (assumption is the mother of all screw ups)

[VN-Frank]

Quote:

Originally Posted by GiLuX

im running a simple web and mail server on fc3.

right now i'm allowing all icmp traffic to pass through iptables but i wondered what icmp traffic i might block to fine tune the firewall some more.

for this server to peform its duty properly, what icmp traffic should be accepted at least and what can safely be dropped at most?

i'm not to familiar with icmp so any advice and or examples would be welcome.

I'm delighted to find your truly relevant question here. Most people forget ICMP, and this protocol is actually the most valuable probing facility for any intelligent hardcore hacker.

"ping" & "traceroute" is still enabled in the scenario below, and that should be disabled in yr case too when running active servicesfor the outside world. Here you see me using "accept" as default, while each chain ends always with some final DROP statement. Just a question of style/personal preference. This way, yr connections dont get reset when bringing it up&down while yr online....
This here works well in prctice for me, and im proceeding to close it even more later.

Change the rate limits to fit for YOUR case, OK !

To tighten that ICMP part up, I suggest as a first practicable quick fix / guideline :

:VDIT-Firewall-ICMP-IN - [0:0]
:VDIT-Firewall-ICMP-OUT - [0:0]

-A OUTPUT -p icmp -j VDIT-Firewall-ICMP-OUT
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 8 -j DROP
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 3/0 -j ACCEPT
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 3/1 -j ACCEPT
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 3/2 -j ACCEPT
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 3/3 -j ACCEPT
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 3/5 -j ACCEPT
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 3/6 -j ACCEPT
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 3/7 -j ACCEPT
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 3/9 -j ACCEPT
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 3/10 -j ACCEPT
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 3/11 -j ACCEPT
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 3/12 -j ACCEPT
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 3/13 -j ACCEPT
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 11/0 -j ACCEPT
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 11/1 -j ACCEPT
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 12/0 -j ACCEPT
-A VDIT-Firewall-ICMP-IN -p icmp -m icmp --icmp-type 12/1 -j ACCEPT
-A VDIT-Firewall-ICMP-IN -p icmp -j DROP
-A VDIT-Firewall-ICMP-OUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A VDIT-Firewall-ICMP-OUT -p icmp -m icmp --icmp-type 3/0 -m limit --limit 1/sec -j ACCEPT
-A VDIT-Firewall-ICMP-OUT -p icmp -m icmp --icmp-type 3/1 -m limit --limit 1/sec -j ACCEPT
-A VDIT-Firewall-ICMP-OUT -p icmp -m icmp --icmp-type 3/2 -m limit --limit 1/sec -j ACCEPT
-A VDIT-Firewall-ICMP-OUT -p icmp -m icmp --icmp-type 3/3 -m limit --limit 1/sec -j ACCEPT
-A VDIT-Firewall-ICMP-OUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A VDIT-Firewall-ICMP-OUT -p icmp -m icmp --icmp-type 3/11 -m limit --limit 1/sec -j ACCEPT
-A VDIT-Firewall-ICMP-OUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A VDIT-Firewall-ICMP-OUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A VDIT-Firewall-ICMP-OUT -p icmp -m icmp --icmp-type 12/0 -j ACCEPT
-A VDIT-Firewall-ICMP-OUT -p icmp -m icmp --icmp-type 12/1 -j ACCEPT
-A VDIT-Firewall-ICMP-OUT -p icmp -j DROP
-A VDIT-Firewall-INPUT -p icmp -j VDIT-Firewall-ICMP-IN


Kind Regards,
Frank

[VN-Frank]

Both is relevant:

/etc/sysctl.conf

the kernel parmeters (ICMP related) u want to have set automatically & permanent on boot (the ones that deviate from the kernel built in defaults)

iptables
the filtering/mangling for all network protocols (including ICMP)

try to run:

sysctl -a | grep icmp


Kind Regards,
Frnk

[alphonsebrown]

well you can have a script to configure both in the same time IPT, SYSCTL

VN-Frank: how do you find my rules for ICMP it's not the complete set like yours.. but I also use to limit the rate..