How can I drop "Source Quench, Redirect, Time stamp and Time stamp reply" ICMP packets

How can I drop "Source Quench, Redirect, Time stamp and Time stamp reply" ICMP packets

Post by santa19992 » Tue, 26 Oct 2004 02:13:30


I need to drop "Source quench, Redirect, Timestamp and
Timestamp reply" packets. Do I have to add a separate rule to
iptables?. Or by default if I didn't add any rule, will it drop
automatically.

Thanks in advance.
 
 
 

How can I drop "Source Quench, Redirect, Time stamp and Time stamp reply" ICMP packets

Post by Allen Kist » Tue, 26 Oct 2004 05:05:29


There are enties in /proc to disable sending and receiving redirects.
You can set them with sysctl, among others.

net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0

You must set netfilter rules for the others.
It's worthwhile setting rules for redirects, too. The /proc entry only
applies to packets aimed at your box or coming from your box. They do
nothing for packets traversing your box.

 
 
 

How can I drop "Source Quench, Redirect, Time stamp and Time stamp reply" ICMP packets

Post by Jens Hoffm » Tue, 26 Oct 2004 05:47:17


Why? This might led to degraded performance, but not help
securitywise.

http://www.yqcomputer.com/ ~k-gerhardt/firewall/fw_router.html

Has an quite lengthy example.

Greetings,
Jens
 
 
 

How can I drop "Source Quench, Redirect, Time stamp and Time stamp reply" ICMP packets

Post by santa19992 » Tue, 26 Oct 2004 22:32:21

Could you please let me know which /proc entry tells. I am wondering
in iptables do I have to add any rule to drop those four types of
packets?. Thanks.
 
 
 

How can I drop "Source Quench, Redirect, Time stamp and Time stamp reply" ICMP packets

Post by Allen Kist » Wed, 27 Oct 2004 10:26:00


In my previous message I said you could use sysctl with
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0

sysctl works on the entries in /proc/sys, so
net.ipv4.conf.default.accept_redirects is
/proc/sys/net/ipv4/conf/default/send_redirects.
There's also an entry in /proc/sys/net/ipv4/conf for each interface.

Insert previous post for netfilter info here.
 
 
 

How can I drop "Source Quench, Redirect, Time stamp and Time stamp reply" ICMP packets

Post by santa19992 » Thu, 28 Oct 2004 00:24:19

Allen,

I set send_redirects and accept_redirects to zero for default
interfaces. How about Source Quench and Timestamp packets?. Do I have
to set netfilter rules?.
 
 
 

How can I drop "Source Quench, Redirect, Time stamp and Time stamp reply" ICMP packets

Post by Trygve Sel » Thu, 28 Oct 2004 08:53:37


Try something like this:

# Disable source routed packets.
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Disable ICMP redirects acceptance.
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Dont send redirects packets.
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done

iptables -N ICMP

iptables -A ICMP -p icmp --fragment -j DROP
iptables -A ICMP -p icmp --icmp-type echo-request -j ACCEPT
iptables -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A ICMP -p icmp --icmp-type source-quench -j ACCEPT
iptables -A ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A ICMP -p icmp --icmp-type fragmentation-needed -j ACCEPT
iptables -A ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A ICMP -p icmp -j DROP

Then call the ICMP chain from your INPUT and/or FORWARD chain.