ICMP & IPCHAINS

[Jonathan Benson <sysadmin ocean com au>]

To all those that wanted to know how I was filtering particular
ICMP packets here is a few snippets from my firewall script which is
based on one by Ian Hall-Beyer.  I hope this helps you get started.

Also note the output of the command:
ipchains -h icmp

Shawn Mitchell mentioned blocking all ICMP echos and especially
broadcast echos.  Perhaps he'd care to elaborate with a similar
example?  I believe he means inbound replys to stop someone spoofing
your IP and then flooding your network with ICMP replies?

Whilst I'm mentioning these sorts of things, one thing you should ALL be
doing at your firewalls is dropping packets that can't have originated
from inside your network or shouldn't be allowed out (eg the 10.0.0.0/8
subnet, etc) to stop spoofing and indeed inbound packets that could only
have originated from inside your network.

If all routers/firewalls did this spoofing would be a thing of the
past.  A nice thought but not likely to happen.

Anyway, here's the bits of my script:
#!/bin/sh

# ----------------------------------------------------------------
Interfaces -
# External Interface
# This is the interface that is your link to the world

EXTERNIF="eth0"

# Internal Interface
# This is the interface to your LAN

INTERNIF="eth1"

# Secured Interface
# This is the interface you want secured

SECUREIF="eth2"

# ------------------------------------------------------- Variable
definition -
#
# Set the location of ipchains.

IPCHAINS="/sbin/ipchains"
IFCONFIG="/sbin/ifconfig"


# You shouldn't need to change anything in the rest of this section

EXTERNIP=`$IFCONFIG $EXTERNIF | grep inet | cut -d : -f 2 | cut -d \  -f
1`
EXTERNMASK=`$IFCONFIG $EXTERNIF | grep Mask | cut -d : -f 4`
EXTERNNET="$EXTERNIP/$EXTERNMASK"

echo "Extern NET: $EXTERNNET"

INTERNIP=`$IFCONFIG $INTERNIF | grep inet | cut -d : -f 2 | cut -d \  -f
1`
INTERNMASK=`$IFCONFIG $INTERNIF | grep Mask | cut -d : -f 4`
INTERNNET="$INTERNIP/$INTERNMASK"

echo "Intern NET: $INTERNNET"

SECUREIP=`$IFCONFIG $SECUREIF | grep inet | cut -d : -f 2 | cut -d \  -f
1`
SECUREMASK=`$IFCONFIG $SECUREIF | grep Mask | cut -d : -f 4`
SECURENET="$SECUREIP/$SECUREMASK"

echo "Secure NET: $SECURENET"

ANYNET="0.0.0.0/0"
# -------------------------------------- Flush everything, start from
scratch -

echo -n "Flushing rulesets.."

# Incoming packets from the outside network
$IPCHAINS -F input
echo -n "."

# Outgoing packets from the internal network
$IPCHAINS -F output
echo -n "."

echo "Done!"

# -------------------------------------------------- Allow loopback
interface -

echo -n "Loopback.."

$IPCHAINS -A input -i lo -s $ANYNET -d $ANYNET -j ACCEPT
$IPCHAINS -A output -i lo -s $ANYNET -d $ANYNET -j ACCEPT
echo -n ".."

echo "Done!"

# ----------------------------------------------------------------------
ICMP -

echo -n "ICMP Rules.."

# Use this to deny ICMP attacks from specific addresses
# $IPCHAINS -A input -b -i $EXTERNALIF -p icmp -s <address> -d $ANYNET
-j DENY
# echo -n "."

# Only allows certain ICMP to the Secure network
$IPCHAINS -A input -p icmp -s $INTERNNET -d $SECURENET -j ACCEPT

# Blocks 'pings' from external sources
$IPCHAINS -A input -p icmp -s $EXTERNNET echo-request -d $SECURENET -j
DENY

# Blocks traceroutes (or the response to them)
$IPCHAINS -A output -p icmp -s $SECURENET time-exceeded -d $INTERNNET -j
ACCEPT
$IPCHAINS -A output -p icmp -s $SECURENET time-exceeded -d $EXTERNNET -j
DENY

# Block redirects from entering the Secure network
$IPCHAINS -A input -p icmp -s $EXTERNNET redirect -d $SECURENET -j DENY

# Allow all ICMP
$IPCHAINS -A input -p icmp -s $ANYNET -d $ANYNET -j ACCEPT
echo -n ".."

echo "Done!"


--
Jonathan Benson
Systems Administrator
Ocean Internet
http://www.ocean.com.au/