Ping a Specific Port

Question

S19N

Asked: 2014-09-17 08:05:19 +0800 CST2014-09-17 08:05:19 +0800 CST 2014-09-17 08:05:19 +0800 CST

iptables, ICMP and RELATED

772

I am using the following simple iptables rule that accepts related packets:

-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

I am letting ICMP echo-requests pass with this other rule:

-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

Should I explicitly add anything to receive "useful" ICMP messages like destination-unreachable, time-exceeded and parameter-problem, or the RELATED clause will already accept them?

5 Answers

Voted

thanasisk · Answer 1 · 2014-10-01T01:42:51+08:00

Best Answer

thanasisk

2014-10-01T01:42:51+08:002014-10-01T01:42:51+08:00

http://www.linuxtopia.org/Linux_Firewall_iptables/x1571.html

Another hugely important part of ICMP is the fact that it is used to tell the hosts what happened to specific UDP and TCP connections or connection attempts. For this simple reason, ICMP replies will very often be recognized as RELATED to original connections or connection attempts. A simple example would be the ICMP Host unreachable or ICMP Network unreachable. These should always be spawned back to our host if it attempts an unsuccessful connection to some other host, but the network or host in question could be down, and hence the last router trying to reach the site in question will reply with an ICMP message telling us about it. In this case, the ICMP reply is considered as a RELATED packet

8

jjmontes · Answer 2 · 2014-10-02T05:07:43+08:00

The RELATED rule will take care of the associated ICMP messages by default. From iptables man page, in the section related to conntrack (http://linux.die.net/man/8/iptables):

RELATED meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.

Other states reported by conntrack are:

INVALID meaning that the packet is associated with no known connection
ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions
NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions
SNAT A virtual state, matching if the original source address differs from the reply destination
DNAT A virtual state, matching if the original destination differs from the reply source

You can examine and manage the conntrack table using the conntrack package.

$ sudo conntrack -L

Jorge Nerín · Answer 3 · 2014-10-05T11:14:10+08:00

Jorge Nerín

2014-10-05T11:14:10+08:002014-10-05T11:14:10+08:00

In general is a very bad idea to filter or block icmp, usually the only "valid" bit of icmp to filter is echo-request to "appear" down in a naïve scan.

But if you want to explicit allow parts of it you are missing at least two very important bits, fragmentation needed & Source Quench:

-A INPUT -p icmp --icmp-type fragmentation-needed -m state --state NEW -j ACCEPT
-A INPUT -p icmp --icmp-type source-quench -m state --state NEW -j ACCEPT

Let me tell you again that filtering icmp is a bad idea that will mask problems and make it difficult to discover.

That was the problem with DF (don't fragment) and fragmentation-needed which is needed for automatic PTMU discovery and caused sites to be inaccessible because intermediate firewalls/routers dropped the icmp packets advertising the endpoint to lower the MTU.

2

S19N · Answer 4 · 2014-10-07T14:40:59+08:00

S19N

2014-10-07T14:40:59+08:002014-10-07T14:40:59+08:00

I'll add my own answer to provide my final configuration, inspired by other answers and the following sources:

an expired draft by IETF with a useful table which shows which ICMP types allow, deny or rate limit;
another page with the minimum lines for iptables and Cisco IOS;

a third resource which uses RELATED:

iptables -P INPUT DROP
iptables -A INPUT -p icmp --fragment -j DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

2

Asad Moeen · Answer 5 · 2014-10-05T23:00:48+08:00

Asad Moeen

2014-10-05T23:00:48+08:002014-10-05T23:00:48+08:00

ICMP is a very important connection protocol. The "echo-request" is the only important useful message that helps communication. Rest of them including "destination-unreachable" is safe to block specially if the application you're running receives a large number of unknown hits.

You're better off with something like this,

-A INPUT -p icmp --icmp-type echo-request -m recent --set 
-A INPUT -p icmp --icmp-type echo-request -m recent --update --seconds 1 --hitcount 30 -j DROP 

-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

-A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
-A INPUT -p icmp -j DROP

This would not only accept "echo-request" but also block ping floods greater than 30 packets/s. Anything else you want to add has to explicitly be accepted because the RELATED clause will not receive them as long as the connection is established by letting it in.

-1

iptables, ICMP and RELATED

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?