ICMP Parameters and my iptables table

By thomas, 6 March, 2006
The Internet Control Message Protocol (ICMP) has many messages that are identified by a "type" field. I use the types to specify what actions to take in my custom iptables config. My iptables configuration has a separate table for icmp traffic. This way icmp traffic is handled on it's own. I create the table in /etc/sysconfig/iptables: :icmp-in - [0:0] :icmp-out - [0:0] Then I create some allow rules so that all icmp traffic is allowed within my own network, adding the first rule for lo (loopback) is really important if you are going to start blocking icmp. The last two rules here allow icmp traffic outbound and any subsequent inbound traffic (established, related). -A INPUT -i lo -p icmp -j icmp-in -A INPUT -p icmp --icmp-type 8 -s 10.0.0.0/8 -i eth0 -j ACCEPT -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT Next I go down the table of codes (see the end of this post) and decide if I want to accept, reject or return the packets based on type. -A icmp-in -p icmp -m icmp --icmp-type 0 -j ACCEPT -A icmp-in -p icmp -m icmp --icmp-type 3 -j RETURN -A icmp-in -p icmp -m icmp --icmp-type 4 -j RETURN -A icmp-in -p icmp -m icmp --icmp-type 8 -j ACCEPT -A icmp-in -p icmp -m icmp --icmp-type 11 -j RETURN -A icmp-in -p icmp -m icmp --icmp-type 12 -j RETURN -A icmp-in -p icmp -m icmp --icmp-type 14 -j RETURN -A icmp-in -p icmp -m icmp --icmp-type 16 -j RETURN -A icmp-in -p icmp -m icmp --icmp-type 18 -j RETURN -A icmp-out -p icmp -m icmp --icmp-type 0 -j ACCEPT -A icmp-out -p icmp -m icmp --icmp-type 4 -j RETURN -A icmp-out -p icmp -m icmp --icmp-type 8 -j ACCEPT -A icmp-out -p icmp -m icmp --icmp-type 12 -j RETURN -A icmp-out -p icmp -m icmp --icmp-type 13 -j RETURN -A icmp-out -p icmp -m icmp --icmp-type 15 -j RETURN -A icmp-out -p icmp -m icmp --icmp-type 17 -j RETURN Many ICMP types have a "code" field. Here is a list of the types with their assigned code fields. Information Reply
Codes:
0 No Code
TypeName
0Echo Reply
Codes:
0 No Code
1Unassigned
2Unassigned
3Destination Unreachable
Codes:
0 Net Unreachable
1 Host Unreachable
2 Protocol Unreachable
3 Port Unreachable
4 Fragmentation Needed and Don't Fragment was Set
5 Source Route Failed
6 Destination Network Unknown
7 Destination Host Unknown
8 Source Host Isolated
9 Communication with Destination Network is Administratively Prohibited
10 Communication with Destination Host is Administratively Prohibited
11 Destination Network Unreachable for Type of Service
12 Destination Host Unreachable for Type of Service
13 Communication Administratively Prohibited
14 Host Precedence Violation
15 Precedence cutoff in effect
4Source Quench
Codes:
0 No Code
5Redirect
Codes:
0 Redirect Datagram for the Network (or subnet)
1 Redirect Datagram for the Host
2 Redirect Datagram for the Type of Service and Network
3 Redirect Datagram for the Type of Service and Host
6Alternate Host Address
Codes:
0 Alternate Address for Host
7Unassigned
8Echo
Codes:
0 No Code
9Router Advertisement
Codes:
0 Normal router advertisement
16 Does not route common traffic
10Router Selection
Codes"
0 No Code
11Time Exceeded
Codes:
0 Time to Live exceeded in Transit
1 Fragment Reassembly Time Exceeded
12Parameter Problem
Codes:
0 Pointer indicates the error
1 Missing a Required Option
2 Bad Length
13Timestamp
Codes:
0 No Code
14Timestamp Reply
Codes:
0 No Code
15Information Request
Codes:
0 No Code
16
17Address Mask Request
Codes:
0 No Code
18Address Mask Reply
Codes:
0 No Code
19Reserved (for Security)
20-29Reserved (for Robustness Experiment)
30Traceroute
31Datagram Conversion Error
32Mobile Host Redirect
33IPv6 Where-Are-You
34IPv6 I-Am-Here
35Mobile Registration Request
36Mobile Registration Reply
39SKIP
40Photuris
Codes:
0 = Bad SPI
1 = Authentication Failed
2 = Decompression Failed
3 = Decryption Failed
4 = Need Authentication
5 = Need Authorization
41-255Reserved