-1

I'm configuring iptables, for an Ubuntu Server VPS. It runs sshd, and various Dockerised web apps. It is not a router, and is not part of a complicated network.

After researching the topic, I decided to respect ICMP.

However, I'm using a whitelist, and only ACCEPT specific traffic:

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# ...then ACCEPT specific incoming traffic

What about ICMP? I could REJECT a few types and whitelist the rest:

-A INPUT -p icmp -m icmp --icmp-type redirect -j REJECT
-A INPUT -p icmp -j ACCEPT

But that defeats the whitelist... So I want to do it the other way round.

Most ICMPv4 types have been deprecated. So creating a whitelist is easy, I just need guidance.

The major types, from iptables -p icmp -h:

 0  =  echo-reply (pong)        # indirectly accepted by ESTABLISHED,RELATED rule
 3  =  destination-unreachable  # `ACCEPT`, especially code 4
 4  =  source-quench
 5  =  redirect
 8  =  echo-request (ping)      # `ACCEPT`
 9  =  router-advertisement
10  =  router-solicitation
11  =  time-exceeded            # indirectly accepted by ESTABLISHED,RELATED rule
12  =  parameter-problem        # `ACCEPT`
13  =  timestamp
14  =  timestamp reply
17  =  address-mask-request
18  =  address-mask-reply
...    many more

What I'll do:

  • types 3, 8, 12: must ACCEPT
  • types 0, 11: automatically ACCEPT by separate ESTABLISHED,RELATED rule
  • other types: default policy will REJECT (rather than DROP), with message --reject-with icmp-proto-unreachable

Which other types should I ACCEPT? (And am I accepting types or codes that I should not?)

UPDATE 1

No this is not a duplicate. It is about whitelisting important incoming ICMP traffic, and rejecting the rest.

Maybe as per @poige's comments, some items in my list are unnecessary as they are responses (like echo-reply). That is part of my question, please advise me what to put in the whitelist. If it is already covered by ESTABLISHED,RELATED then please advise me to remove it from the whitelist.

UPDATE 2

To avoid more unnecessary confrontation as below with @poige, here is the question put simply:

"I'm using a whitelist approach - so by default everything is dropped. But I don't want icmp traffic to be dropped. So I'd like advice as to what to put into the whitelist."

lonix
  • 1,119

1 Answers1

-1

I wanted to know which icmp types to whitelist, and listed examples - but a whitelist isn't ideal for icmp.

This rule is typically added in the beginning:

-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

And that covers most (all?) modern/non-deprecated ICMPv4 types, because they are in response to connections initiated by the local server. That was the part I didn't realise, and so my question was not about what to add to the whitelist, but what to remove (almost everything).

There is one exception, echo-request, which isn't initiated by the local server.

So I'm still using a whitelist (default drop, and accept specific traffic), except for the ICMP parts (reject some types, and accept the rest):

*filter

# default drop (so can create a whitelist)
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# this automatically accepts all icmpv4 types other than echo-request
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# accept specific traffic...

# icmp: reject redirects and accept the rest (basically a blacklist)
-A INPUT -p icmp -m icmp --icmp-type redirect -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -j ACCEPT

# accept specific traffic...

COMMIT
lonix
  • 1,119