Filtering ICMP Control and Status Messages

ICMP control messages are generated in response to a number of error conditions, and they are produced by network analysis programs such as ping and TRaceroute.

ICMP MESSAGE TYPES AND IPTABLES

iptables supports the use of either the ICMP numeric message type or the alphabetic symbolic name.

iptables also supports use of the message subtypes, or codes. This is especially useful for finer filtering control over type 3 Destination Unreachable messages. For example, you could specifically disallow outgoing Port Unreachable messages to disable an incoming traceroute, or you could specifically allow only outgoing Fragmentation Needed messages.

To see a list of all supported ICMP symbolic names in iptables, run iptables -p icmp -h. To see the official RFC assignments, go to http://www.iana.org/assignments/icmp-parameters.

Error Status and Control Messages

Four ICMP control and status messages need to pass through the firewall: Source Quench, Parameter Problem, incoming Destination Unreachable, and outgoing Destination Unreachable of subtype Fragmentation Needed. Four other ICMP message types are optional: Echo Request, Echo Reply, other outgoing Destination Unreachable subtypes, and Time Exceeded. Other message types can be ignored, to be filtered out by the default policy.

Of the message types that canor shouldbe ignored, only redirect is considered dangerous because of its role in denial-of-service attacks as a redirect bomb. (See Chapter 2 for more information on redirect bombs.) As with redirect, the remaining ICMP message types are specialized control and status messages intended for use between routers.

The following sections describe the message types important to an endpoint host machine, as opposed to an intermediate router, in more detail.

FRAGMENTED ICMP MESSAGES

An ICMP message will never be fragmented under normal circumstances. An ICMP message should fit entirely within a Layer 2 frame. It's safe to drop fragmented ICMP messages. Such packets are usually used in denial-of-service attacks:

 $IPT -A INPUT  -i $INTERNET --fragment -p icmp -j LOG \          --log-prefix "Fragmented ICMP: " $IPT -A INPUT  -i $INTERNET --fragment -p icmp -j DROP

SOURCE QUENCH CONTROL (TYPE 4) MESSAGES

ICMP message type 4, Source Quench, can be sent when a connection source, usually a router, is sending data faster than the next destination router can handle it. Source Quench is used as a primitive form of flow control at the IP Network layer, usually between two adjacent, point-to-point machines:

 $IPT -A INPUT  -i $INTERNET -p icmp \          --icmp-type source-quench -d $IPADDR -j ACCEPT $IPT -A OUTPUT -o $INTERNET -p icmp \          -s $IPADDR --icmp-type source-quench -j ACCEPT

The router's next hop or destination machine sends a Source Quench command. The originating router responds by sending packets at a slower rate, gradually increasing the rate until it receives another Source Quench message.

In practice, Source Quench is not much used within the Internet anymore. Flow control is left to the higher-level protocols. The message type is seen on LANs, however.

PARAMETER PROBLEM STATUS (TYPE 12) MESSAGES

ICMP message type 12, Parameter Problem, is sent when a packet is received containing illegal or unexpected data in the header, or when the header checksum doesn't match the checksum generated by the receiving machine:

 $IPT -A INPUT  -i $INTERNET -p icmp \          --icmp-type parameter-problem -d $IPADDR -j ACCEPT $IPT -A OUTPUT -o $INTERNET -p icmp \          -s $IPADDR --icmp-type parameter-problem -j ACCEPT

DESTINATION UNREACHABLE ERROR (TYPE 3) MESSAGES

ICMP message type 3, Destination Unreachable, is a general error status message:

 $IPT -A INPUT  -i $INTERNET -p icmp \          --icmp-type destination-unreachable -d $IPADDR -j ACCEPT $IPT -A OUTPUT -o $INTERNET -p icmp \          -s $IPADDR --icmp-type fragmentation-needed -j ACCEPT # Don't log dropped outgoing ICMP error messages $IPT -A OUTPUT -o $INTERNET -p icmp \          -s $IPADDR --icmp-type destination-unreachable -j DROP

The ICMP packet header for type 3 messages, Destination Unreachable, contains an error code field identifying the particular kind of error. Ideally, you'd want to drop outgoing type 3 messages. This message type is what is sent in response to a port scan used to map your service ports or address space. An attacker can create a denial-of-service condition by forcing your system to generate large numbers of these messages by bombarding your unused ports. Worse, an attacker can spoof the source address, forcing your system to send them to the spoofed hosts. Unfortunately, the Destination Unreachable message creates a Catch-22 situation. One of the message subtypes, Fragmentation Needed, is used to negotiate packet fragment size. Your network performance can be seriously degraded without this negotiation.

TIME EXCEEDED STATUS (TYPE 11) MESSAGES

ICMP message type 11, Time Exceeded, indicates a timeout conditionor, more accurately, that a packet's maximum hop count has been exceeded. On networks today, incoming Time Exceeded is mostly seen as the ICMP response to an outgoing UDP traceroute request:

 $IPT -A INPUT  -i $INTERNET -p icmp \          --icmp-type time-exceeded -d $IPADDR -j ACCEPT

If you want to use traceroute, you must allow incoming ICMP Time Exceeded messages. Because your machine is not an intermediate router, you have no other use for Time Exceeded messages.

`ping` Echo Request (Type 8) and Echo Reply (Type 0) Control Messages

ping uses two ICMP message types. The request message, Echo Request, is message type 8. The reply message, Echo Reply, is message type 0. ping is a simple network-analysis tool dating back to the original DARPANet. The name ping was taken from the idea of the audible ping played back by sonar systems. (DARPA is the Defense Advanced Research Projects Agency, after all.) Similar to sonar, an Echo Request message broadcast to all machines in a network address space generates Echo Reply messages, in return, from all hosts responding on the network.

`smurf` ATTACKS

Don't broadcast anything out unto the Internet. The ping broadcast mentioned previously is the basis of the smurf IP denial-of-service attack. See CERT Advisory CA-98.01.smurf at http://www.cert.org for more information on smurf attacks.

OUTGOING `ping` TO REMOTE HOSTS

The following rule pair enables you to ping any host on the Internet:

 if [ "$CONNECTION_TRACKING" = "1" ]; then     # allow outgoing pings to anywhere     $IPT -A OUTPUT -o $INTERNET -p icmp \              -s $IPADDR --icmp-type echo-request \              -m state --state NEW -j ACCEPT fi # allow outgoing pings to anywhere $IPT -A OUTPUT -o $INTERNET -p icmp \          -s $IPADDR --icmp-type echo-request -j ACCEPT $IPT -A INPUT  -i $INTERNET -p icmp \          --icmp-type echo-reply -d $IPADDR -j ACCEPT

INCOMING `ping` FROM REMOTE HOSTS

The approach shown here allows only selected external hosts to ping you:

 if [ "$CONNECTION_TRACKING" = "1" ]; then     # allow incoming pings from trusted hosts     $IPT -A INPUT  -i $INTERNET -p icmp \              -s $MY_ISP --icmp-type echo-request -d $IPADDR \              -m state --state NEW -j ACCEPT fi # allow incoming pings from trusted hosts $IPT -A INPUT  -i $INTERNET -p icmp \          -s $MY_ISP --icmp-type echo-request -d $IPADDR -j ACCEPT $IPT -A OUTPUT -o $INTERNET -p icmp \          -s $IPADDR --icmp-type echo-reply -d $MY_ISP -j ACCEPT

For the purposes of the example you've been building in this chapter, external hosts allowed to ping your machine are machines belonging to your ISP. Chances are good that your network operations center or customer support will want to ping your external interface. If your machine is a DHCP client, it's possible that the DHCP implementation depends on ping as well. Except for those from your local network neighbors, other incoming Echo Requests are denied. ping has been used in several types of denial-of-service attacks.