Why not block ICMP?

security linux firewall iptables icmp

I think I almost have my iptables setup complete on my CentOS 5.3 system. Here is my script...

# Establish a clean slate
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F # Flush all rules
iptables -X # Delete all chains

# Disable routing. Drop packets if they reach the end of the chain.
iptables -P FORWARD DROP

# Drop all packets with a bad state
iptables -A INPUT -m state --state INVALID -j DROP
# Accept any packets that have something to do with ones we've sent on outbound
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Accept any packets coming or going on localhost (this can be very important)
iptables -A INPUT -i lo -j ACCEPT
# Accept ICMP
iptables -A INPUT -p icmp -j ACCEPT

# Allow ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow httpd
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Allow SSL
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Block all other traffic 
iptables -A INPUT -j DROP

For context, this machine is a Virtual Private Server Web app host.

In a previous question, Lee B said that I should "lock down ICMP a bit more." Why not just block it altogether? What would happen if I did that (what bad thing would happen)?

If I need to not block ICMP, how could I go about locking it down more?


Solution 1:

ICMP is way, way more than "traceroute" and "ping." It is used for feedback when you run a DNS server (port unreachable) which, in a modern DNS server, may actually help select a different machine to query faster.

ICMP is also, as was mentioned above, used for path MTU discovery. Chances are your OS sets "DF" (don't fragment) on TCP packets it sends. It is expecting to get an ICMP "fragmentation required" packet back if something along the path fails to handle that size of packet. If you block all ICMP, your machine will have to use other fallback mechanisms, which basically use a timeout to detect a PMTU "black hole" and will never optimize correctly.

Additionally, you should ask yourself why you want to block ICMP. What specifically are you attempting to prevent here? It's pretty clear you don't understand what ICMP is used for, which is rather common. I'd be extremely cautious in blocking something you don't fully understand.

To make it even harder to learn about this, many common firewall books say "block ICMP" -- it's clear their authors have never read an RFC or had to solve issues surrounding such advice. It's bad advice to block all ICMP.

Now, rate limiting it can also hurt. If your machine is busy, or even if it's not, you can get a good amount of ICMP traffic. My web server probably gets about 10-100 ICMP packets per minute, most of which is PMTU discovery. Even if someone chose to attack my server with ICMP packets of some type, it's really not that big of a deal. If your machine accepts even one TCP connection (ssh, http, mail, etc) chances are that's a bigger attack vector than misunderstood ICMP ever will be.

Solution 2:

ICMP is used for a range of diagnostic (eg ping, traceroute) and network control (eg PMTU discovery) functions. Indiscriminate blocking of ICMP causes other people all sorts of heartburn, and unless you know exactly what you're doing, you should leave it alone.

Solution 3:

I've never understood why people clock ICMP, as said above it only ever causes headaches to yourself and others. You can determine if a host is up easily enough and so long as it is limited enough as not to be used as a DOS then I've never heard any compelling reasons to block it. (If someone can come up with a reason please post)

Solution 4:

you could just try limit-ing icmp that way it can't be used as a DOS attack. but there are way too many troubleshooting tools like ping, mtr (I forget windows equivalent), traceroute (tracert), that use icmp. dropping them entirely is just foolish. It's a good way to check if your instance is up even though you can't telnet on any ports.

--limit 10/second
to your icmp rule(s) is probably a decent limit given just how much a computer can actually handle.

Related

iptables - Target to route packet to specific interface?
REJECT vs DROP when using iptables
What tool do you recommend to track changes on a Linux/Unix server
Multiple data centers and HTTP traffic: DNS Round Robin is the ONLY way to assure instant fail-over?
Generating a self-signed cert with openssl that works in Chrome 58
Allow SFTP but disallow SSH?
iptables Tips & Tricks [closed]
ssh delay when connecting
3rd party SSD drive in HP Proliant server only shows 3G transfer speed
Redirecting from http to https in Apache
Can I SSH into my Amazon EC2 server instance if I don't have .pem file from when instance was created?
What is Apache's equivalent of Nginx's try_files?