Whitelist ICMP traffic with iptables

Question

I'm configuring iptables, for an Ubuntu Server VPS. It runs sshd, and various Dockerised web apps. It is not a router, and is not part of a complicated network.

After researching the topic, I decided to respect ICMP.

However, I'm using a whitelist, and only ACCEPT specific traffic:

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# ...then ACCEPT specific incoming traffic

What about ICMP? I could REJECT a few types and whitelist the rest:

-A INPUT -p icmp -m icmp --icmp-type redirect -j REJECT
-A INPUT -p icmp -j ACCEPT

But that defeats the whitelist... So I want to do it the other way round.

Most ICMPv4 types have been deprecated. So creating a whitelist is easy, I just need guidance.

The major types, from iptables -p icmp -h:

 0  =  echo-reply (pong)        # indirectly accepted by ESTABLISHED,RELATED rule
 3  =  destination-unreachable  # `ACCEPT`, especially code 4
 4  =  source-quench
 5  =  redirect
 8  =  echo-request (ping)      # `ACCEPT`
 9  =  router-advertisement
10  =  router-solicitation
11  =  time-exceeded            # indirectly accepted by ESTABLISHED,RELATED rule
12  =  parameter-problem        # `ACCEPT`
13  =  timestamp
14  =  timestamp reply
17  =  address-mask-request
18  =  address-mask-reply
...    many more

What I'll do:

types 3, 8, 12: must ACCEPT
types 0, 11: automatically ACCEPT by separate ESTABLISHED,RELATED rule
other types: default policy will REJECT (rather than DROP), with message --reject-with icmp-proto-unreachable

Which other types should I ACCEPT? (And am I accepting types or codes that I should not?)

UPDATE 1

No this is not a duplicate. It is about whitelisting important incoming ICMP traffic, and rejecting the rest.

Maybe as per @poige's comments, some items in my list are unnecessary as they are responses (like echo-reply). That is part of my question, please advise me what to put in the whitelist. If it is already covered by ESTABLISHED,RELATED then please advise me to remove it from the whitelist.

UPDATE 2

To avoid more unnecessary confrontation as below with @poige, here is the question put simply:

"I'm using a whitelist approach - so by default everything is dropped. But I don't want icmp traffic to be dropped. So I'd like advice as to what to put into the whitelist."

"--ctstate ESTABLISHED,RELATED" would accept not only code 0. `ESTABLISHED` would do that, but `RELATED` is wider. Read the docs — poige, Sep 14 '19 at 14:43
Possible duplicate of [iptables, ICMP and RELATED](https://serverfault.com/questions/628943/iptables-icmp-and-related) — poige, Sep 14 '19 at 14:45
@poige It's not a dupe - this is not about "RELATED" etc. It' about whitelisting important incoming icmp traffic (by type/code), and rejecting the rest. — lonix, Sep 14 '19 at 14:48
you're saying "code 3" which is "destination-unreachable" and I'm telling you that RELATED does handle that. State clearly what is your question because now it does look like a dup — poige, Sep 14 '19 at 14:49
Also "important" is opinion based conclusion. For you it might be important to answer to echo requests, to me — it's not needed. Code 11 is also handled by RELATED thus it means you don't need to handle it separately. — poige, Sep 14 '19 at 14:52
@poige This is not about ICMP traffic I initiate, it's about random ICMP traffic that I receive. I want to whitelist certain types and reject the rest. — lonix, Sep 14 '19 at 14:52
@poige About type 11, okay then that is an exception. So maybe then your advice is I do not need to whitelist it, just like I do not need to whitelist echo response (same idea, I initiate the traffic, and it's RELATED). The rest are whitelisted. — lonix, Sep 14 '19 at 14:54
@poige Okay so your advice is that the whitelist does not need `echo-response` or `time-exceeded`, as they are automatically handled by a `ESTABLISHED,RELATED` rule. Thanks. — lonix, Sep 14 '19 at 15:00
10 minutes ago I've told you `destination-unreachable` is also handled by RELATED. You're wasting time instead of using it for studying the subject. — poige, Sep 14 '19 at 15:01
@poige Your confrontational tone makes it hard to learn from you. And even if that's the case, what about the rest? Does everything I listed fall into the "related/established" case? — lonix, Sep 14 '19 at 15:09
People often have excuses for own ignorance. Your q-n (being very vaguely asked) is already answered for most of its parts and that's the last message I have for you. Bye-bye — poige, Sep 14 '19 at 15:14
@poige The question is not vague. I'm using a whitelist approach - so by default everything is blocked. I don't want icmp traffic to be blocked. So I wanted advice from people more knowlegeable than me, as to what to put into the whitelist. So simple. — lonix, Sep 14 '19 at 15:18
"_so by default everything is dropped._" I think the part you are missing is that everything you want to allow is allowed as _established_ or _related_, except the ICMP Echo Request. The ICMP messages in the list of what you want to allow are in _response_ to something _you_ have sent (other than the echo request). — Ron Maupin, Sep 14 '19 at 15:33
@RonMaupin Thank you. Unlike some other commenters you obviously understood the gap in my knowledge, and explained it in a friendly way that an iptables newbie can understand. If you'd add that as an answer I'd accept. — lonix, Sep 14 '19 at 17:55
@RonMaupin So the whitelist now really becomes just a single item - the echo-request (type 8, code 0). In your opinion is there anything missing from that whitelist that should be added? (i.e. am I right in assuming, that of all the dozens of types, `echo-request` is the only icmp type that is not in response to something I initiated?) — lonix, Sep 14 '19 at 17:58
Well, in the list of things you want to allow, the ICMP Echo Request seems to be the only one not in response to something you sent. You should also think about ICMPv6. The message numbers are different than ICMPv4, and they are organized in such a way as to have the error messages in response to what you send in `1` to `127`, and informational messages, e.g. Echo, in `128` to `255`. — Ron Maupin, Sep 14 '19 at 18:20
@RonMaupin Thanks! I plan on dealing with v6 once I'm done with v4. For now, for v4, what I'm doing based on your advice, is 1) it's a whitelist so default drop, 2) add established/related rule, 3) reject icmp redirects (widely advised to do so on serverfault to no ill effect), 4) accept all other icmp. So my iptables are a whitelist, except for the icmp bits, which are the other way round (allow all of it, except for redirects). Thanks again. — lonix, Sep 14 '19 at 18:45

score -1 · Answer 1 · answered Sep 14 '19 at 19:11

I wanted to know which icmp types to whitelist, and listed examples - but a whitelist isn't ideal for icmp.

This rule is typically added in the beginning:

-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

And that covers most (all?) modern/non-deprecated ICMPv4 types, because they are in response to connections initiated by the local server. That was the part I didn't realise, and so my question was not about what to add to the whitelist, but what to remove (almost everything).

There is one exception, echo-request, which isn't initiated by the local server.

So I'm still using a whitelist (default drop, and accept specific traffic), except for the ICMP parts (reject some types, and accept the rest):

*filter

# default drop (so can create a whitelist)
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# this automatically accepts all icmpv4 types other than echo-request
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# accept specific traffic...

# icmp: reject redirects and accept the rest (basically a blacklist)
-A INPUT -p icmp -m icmp --icmp-type redirect -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -j ACCEPT

# accept specific traffic...

COMMIT

Even dropping ICMP redirects probably isn't necessary, as many Linux distributions will ignore them by default. See the sysctls net.ipv4.conf.all.accept_redirects and for each interface. — Michael Hampton, Sep 14 '19 at 20:14
@MichaelHampton Thanks for teaching me something new Michael. However in my vanilla Ubuntu Server 18.04, I checked the `/etc/sysctl.conf` and found that the various `net.*.accept_redirects` options were all commented out. Unsure whether that means they default to on or off. Is it better (faster/performant/whatever) to disable these in sysctl or iptables? — lonix, Sep 15 '19 at 05:23

Whitelist ICMP traffic with iptables

1 Answers1