I think I almost have my iptables setup complete on my CentOS 5.3 system. Here is my script...
# Establish a clean slate
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F # Flush all rules
iptables -X # Delete all chains
# Disable routing. Drop packets if they reach the end of the chain.
iptables -P FORWARD DROP
# Drop all packets with a bad state
iptables -A INPUT -m state --state INVALID -j DROP
# Accept any packets that have something to do with ones we've sent on outbound
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Accept any packets coming or going on localhost (this can be very important)
iptables -A INPUT -i lo -j ACCEPT
# Accept ICMP
iptables -A INPUT -p icmp -j ACCEPT
# Allow ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow httpd
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Allow SSL
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Block all other traffic
iptables -A INPUT -j DROP
For context, this machine is a Virtual Private Server Web app host.
In a previous question, Lee B said that I should "lock down ICMP a bit more." Why not just block it altogether? What would happen if I did that (what bad thing would happen)?
If I need to not block ICMP, how could I go about locking it down more?
ICMP is way, way more than "traceroute" and "ping." It is used for feedback when you run a DNS server (port unreachable) which, in a modern DNS server, may actually help select a different machine to query faster.
ICMP is also, as was mentioned above, used for path MTU discovery. Chances are your OS sets "DF" (don't fragment) on TCP packets it sends. It is expecting to get an ICMP "fragmentation required" packet back if something along the path fails to handle that size of packet. If you block all ICMP, your machine will have to use other fallback mechanisms, which basically use a timeout to detect a PMTU "black hole" and will never optimize correctly.
Additionally, you should ask yourself why you want to block ICMP. What specifically are you attempting to prevent here? It's pretty clear you don't understand what ICMP is used for, which is rather common. I'd be extremely cautious in blocking something you don't fully understand.
To make it even harder to learn about this, many common firewall books say "block ICMP" -- it's clear their authors have never read an RFC or had to solve issues surrounding such advice. It's bad advice to block all ICMP.
Now, rate limiting it can also hurt. If your machine is busy, or even if it's not, you can get a good amount of ICMP traffic. My web server probably gets about 10-100 ICMP packets per minute, most of which is PMTU discovery. Even if someone chose to attack my server with ICMP packets of some type, it's really not that big of a deal. If your machine accepts even one TCP connection (ssh, http, mail, etc) chances are that's a bigger attack vector than misunderstood ICMP ever will be.
ICMP is used for a range of diagnostic (eg ping, traceroute) and network control (eg PMTU discovery) functions. Indiscriminate blocking of ICMP causes other people all sorts of heartburn, and unless you know exactly what you're doing, you should leave it alone.
I've never understood why people clock ICMP, as said above it only ever causes headaches to yourself and others. You can determine if a host is up easily enough and so long as it is limited enough as not to be used as a DOS then I've never heard any compelling reasons to block it. (If someone can come up with a reason please post)
you could just try limit-ing icmp that way it can't be used as a DOS attack. but there are way too many troubleshooting tools like ping, mtr (I forget windows equivalent), traceroute (tracert), that use icmp. dropping them entirely is just foolish. It's a good way to check if your instance is up even though you can't telnet on any ports.
to your icmp rule(s) is probably a decent limit given just how much a computer can actually handle.It's a useful diagnostic tool for solving network connectivity issues.
It also allows you to use connections elsewhere on the internet that use smaller MTUs than are on your network. If you try to send a packet somewhere that's too large and can't be fragmented, the device drops the packet and sends an ICMP fragmentation needed packet back to the sender. If you drop all ICMP packets, you lose those and weird things happen on your network.
The real question is "why block ICMP?" What do you gain? Just have good filtering rules at your border and in front of your valued assets.
Here's an alternate viewpoint, in the spirit of what security theory would suggest. Other posters are right that security practice is often overzealous, but there is a good basis to much of it.
The security theory is generally that you only enable WHAT YOU NEED. Other things (which could be useful - e.g., ping responses) can be used by an attacker to scope out your system, or possibly as an attack vector for some yet-to-be-discovered vulnerability.
So, looking at ICMP message types, what do you NEED for normal, proper operation of your system?
...and so on. If you really want to understand this, go learn about the various ICMP types and what they are for. The wikipedia article is a good starting point.
In practice, the really ugly one is redirect; if you want to just do something quick and useful, block that and allow the rest.
I would add that IPtables connection tracking will allow the appropriate return ICMP packets for active connections. So if you are running conntrack, you should be able to block most ICMP inbound, as long as you are accepting RELATED packets (before you block ICMP in your ruleset).
ping is a nice diagnostic tool, you'll really wish you had it someday. I'm using these:
you might also want to throttle it.
Nowadays even limiting the ICMP packets in server side can create headache on DDoS attacks. Attacks mostly done by sending huge window ICMP requests to one server and if the server is trying to respond to each of it, guess what happens?
Main thing that we have a teamspeak server that gets bad packets every single day, there was few days in two months that we had some "freetime". What we had done is completely disabled/blocked ICMP responces, we have no DNS servers on the server, no NTP servers, no mail servers, no FTP servers, only two apache and teamspeak. all ports that is unneeded for the services are off. We are planing to block even the ssh and leave only two ports open. Today there is 21k (!) permanent bans.
The situation is that attackers uses mostly ICMP tunnelings and few really interesting log lines was discussed with the server admins and they said that they have server ICMP requests on, so attackers used that to tunnel the attack troughs them and attack us. Sounds weird but that's true.
If you don't need diagnostics of your server and if you are able to completely block the requests or filter them to drop huge windows for example then do it. I also suggest you to completely block: China, Korea, Thailand, Turkey because majority of the IP Addresses comes from there. I had whole inetnum lists of these countries but almost each day comes some new ones from there.
I say what I do, if you don't agree - don't do it. Simple as that. Good luck
As a minimum, you should allow to pass icmp types 3 (destination unreachable), 4 (source quench) and 11 (time exceeded). All of these types are used to deal with network problems and shouldn't be filtered.
(Source quench type is currently deprecated, but it won't hurt to let this open)
I allow ICMP traffic from local intranet, block it from Internet. That way my server is all but invisible online (it responds only on a non standard SSH port).
This inserts it after the standard loopback, established, LAN whitelist, VOIP provider whitelist, and SSH port ACCEPTs. I allow the traffic I want, and then do my best to keep the server invisible to the rest of the world.