iptables, ICMP and RELATED

iptables icmp

I am using the following simple iptables rule that accepts related packets:

-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

I am letting ICMP echo-requests pass with this other rule:

-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

Should I explicitly add anything to receive "useful" ICMP messages like destination-unreachable, time-exceeded and parameter-problem, or the RELATED clause will already accept them?


Solution 1:

http://www.linuxtopia.org/Linux_Firewall_iptables/x1571.html

Another hugely important part of ICMP is the fact that it is used to tell the hosts what happened to specific UDP and TCP connections or connection attempts. For this simple reason, ICMP replies will very often be recognized as RELATED to original connections or connection attempts. A simple example would be the ICMP Host unreachable or ICMP Network unreachable. These should always be spawned back to our host if it attempts an unsuccessful connection to some other host, but the network or host in question could be down, and hence the last router trying to reach the site in question will reply with an ICMP message telling us about it. In this case, the ICMP reply is considered as a RELATED packet

Solution 2:

The RELATED rule will take care of the associated ICMP messages by default. From iptables man page, in the section related to conntrack (http://linux.die.net/man/8/iptables):

RELATED meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.

Other states reported by conntrack are:

  • INVALID meaning that the packet is associated with no known connection
  • ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions
  • NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions
  • SNAT A virtual state, matching if the original source address differs from the reply destination
  • DNAT A virtual state, matching if the original destination differs from the reply source

You can examine and manage the conntrack table using the conntrack package.

$ sudo conntrack -L

Solution 3:

In general is a very bad idea to filter or block icmp, usually the only "valid" bit of icmp to filter is echo-request to "appear" down in a naïve scan.

But if you want to explicit allow parts of it you are missing at least two very important bits, fragmentation needed & Source Quench:

-A INPUT -p icmp --icmp-type fragmentation-needed -m state --state NEW -j ACCEPT
-A INPUT -p icmp --icmp-type source-quench -m state --state NEW -j ACCEPT

Let me tell you again that filtering icmp is a bad idea that will mask problems and make it difficult to discover.

That was the problem with DF (don't fragment) and fragmentation-needed which is needed for automatic PTMU discovery and caused sites to be inaccessible because intermediate firewalls/routers dropped the icmp packets advertising the endpoint to lower the MTU.

Related

How to configure postfix to throw away all email to one domain and relay all other email?
Private DNS zone that resolves private subdomains, and forwards to public nameserver for existing public subdomains
Uninstall ruby from source
Adding local users / passwords on Kerberized Linux box
Replace old SSL certificate in IIS6
Questions about single point of failure for small operations
Fix error determining whether the target environment requires adprep in windows server 2012, during domain controller promotion
What's your best practice Recovery Model for SharePoint databases
Unable to start rabbitmq-server on Ubuntu 12.04
What are the possible reasons why Hyper-V can't compact a VHD?
Should I use the CentOS package version in the (official) repositories, or the latest stable versions of the packages?
Changing the login timeout for Windows Remote Desktop Services