:icmp-in - [0:0]
:icmp-out - [0:0]
Then I create some allow rules so that all icmp traffic is allowed within my own network, adding the first rule for lo (loopback) is really important if you are going to start blocking icmp. The last two rules here allow icmp traffic outbound and any subsequent inbound traffic (established, related).
-A INPUT -i lo -p icmp -j icmp-in
-A INPUT -p icmp --icmp-type 8 -s 10.0.0.0/8 -i eth0 -j ACCEPT
-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Next I go down the table of codes (see the end of this post) and decide if I want to accept, reject or return the packets based on type.
-A icmp-in -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A icmp-in -p icmp -m icmp --icmp-type 3 -j RETURN
-A icmp-in -p icmp -m icmp --icmp-type 4 -j RETURN
-A icmp-in -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp-in -p icmp -m icmp --icmp-type 11 -j RETURN
-A icmp-in -p icmp -m icmp --icmp-type 12 -j RETURN
-A icmp-in -p icmp -m icmp --icmp-type 14 -j RETURN
-A icmp-in -p icmp -m icmp --icmp-type 16 -j RETURN
-A icmp-in -p icmp -m icmp --icmp-type 18 -j RETURN
-A icmp-out -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A icmp-out -p icmp -m icmp --icmp-type 4 -j RETURN
-A icmp-out -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp-out -p icmp -m icmp --icmp-type 12 -j RETURN
-A icmp-out -p icmp -m icmp --icmp-type 13 -j RETURN
-A icmp-out -p icmp -m icmp --icmp-type 15 -j RETURN
-A icmp-out -p icmp -m icmp --icmp-type 17 -j RETURN
Many ICMP types have a "code" field. Here is a list of the types
with their assigned code fields.
| Type | Name | |
|---|---|---|
| 0 | Echo Reply Codes: 0 No Code |
|
| 1 | Unassigned | |
| 2 | Unassigned | |
| 3 | Destination Unreachable Codes: 0 Net Unreachable 1 Host Unreachable 2 Protocol Unreachable 3 Port Unreachable 4 Fragmentation Needed and Don't Fragment was Set 5 Source Route Failed 6 Destination Network Unknown 7 Destination Host Unknown 8 Source Host Isolated 9 Communication with Destination Network is Administratively Prohibited 10 Communication with Destination Host is Administratively Prohibited 11 Destination Network Unreachable for Type of Service 12 Destination Host Unreachable for Type of Service 13 Communication Administratively Prohibited 14 Host Precedence Violation 15 Precedence cutoff in effect | |
| 4 | Source Quench Codes: 0 No Code | |
| 5 | Redirect Codes: 0 Redirect Datagram for the Network (or subnet) 1 Redirect Datagram for the Host 2 Redirect Datagram for the Type of Service and Network 3 Redirect Datagram for the Type of Service and Host | |
| 6 | Alternate Host Address Codes: 0 Alternate Address for Host | |
| 7 | Unassigned | |
| 8 | Echo Codes: 0 No Code | |
| 9 | Router Advertisement Codes: 0 Normal router advertisement 16 Does not route common traffic | |
| 10 | Router Selection Codes" 0 No Code | |
| 11 | Time Exceeded Codes: 0 Time to Live exceeded in Transit 1 Fragment Reassembly Time Exceeded | |
| 12 | Parameter Problem Codes: 0 Pointer indicates the error 1 Missing a Required Option 2 Bad Length | |
| 13 | Timestamp Codes: 0 No Code | |
| 14 | Timestamp Reply Codes: 0 No Code | |
| 15 | Information Request Codes: 0 No Code | |
| 16 | ||
| 17 | Address Mask Request Codes: 0 No Code | |
| 18 | Address Mask Reply Codes: 0 No Code | |
| 19 | Reserved (for Security) | |
| 20-29 | Reserved (for Robustness Experiment) | |
| 30 | Traceroute | |
| 31 | Datagram Conversion Error | |
| 32 | Mobile Host Redirect | |
| 33 | IPv6 Where-Are-You | |
| 34 | IPv6 I-Am-Here | |
| 35 | Mobile Registration Request | |
| 36 | Mobile Registration Reply | |
| 39 | SKIP | |
| 40 | Photuris Codes: 0 = Bad SPI 1 = Authentication Failed 2 = Decompression Failed 3 = Decryption Failed 4 = Need Authentication 5 = Need Authorization | |
| 41-255 | Reserved |