Deny icmp traffic to your vpn. Cisco ACL for advanced. Extended access lists. Block requests to outgoing IP address

So, let's continue to deal with ACLs. This time, we have extended ACLs. We will take the topology from the previous article, I hope you have studied it thoroughly. If this is not the case, then I highly recommend reading it so that the materials in this article are more understandable.

First of all, I'll start with what extended ACLs are. Extended ACLs allow you to specify the protocol, destination address, and ports in addition to the source address. As well as special parameters of a certain protocol. It’s best to learn from examples, so let’s create a new task, complicating the previous one. By the way, someone might be interested in dealing with the issues of traffic distribution by priority after this; I recommend QoS Classification and Marking a good article, albeit in English. Well, for now, let's return to our task:

Task.

1. Allow echo requests from hosts on the 192.168.0.0/24 network to the server.
2. From the server – prohibit echo requests to the internal network.
3. Allow WEB access to the server from node 192.168.0.11.
4. Allow FTP access from host 192.168.0.13 to the server.

Complex task. We will also solve it comprehensively. First of all, I’ll look at the syntax for using an extended ACL.

Extended ACL options

<номер от 100 до 199> <действие permit, deny> <протокол> <источник> <порт> <назначение> <порт> <опции>

Port numbers are indicated only for TCP / UDP protocols, of course. There can also be prefixes eq(port number equal to the specified one), gt/lt(port number is greater/smaller than specified), neq(port number is not equal to the specified one), range(port range).

Named ACLs

By the way, access lists can not only be numbered, but also named! Perhaps this method will seem more convenient to you. This time we will do exactly that. These commands are executed in the context of global configuration and the syntax is:

Router(config)#ip access-list extended<имя>

So, let's start forming the rules.

1. Allowing pings from the network 192.168.0.0/24 to the server. So, echo-requests are a protocol ICMP, we will select our subnet as the source address, the server address as the destination address, the message type – on the incoming interface echo, at the output – echo-reply. Router(config)#ip access-list extended INT_IN Router(config-ext-nacl)#permit icmp 192.168.0.0 0.0.0.255 host 10.0.0.100 echo Oops, what's wrong with the subnet mask? Yes, this is a trick ACL. The so-called WildCard-mask. It is calculated as the inverse mask from the usual one. Those. 255.255.255.255 – subnet mask. In our case, the subnet 255.255.255.0 , after subtraction what remains is just 0.0.0.255 .I think this rule does not need explanation? Protocol icmp, source address – subnet 192.168.0.0/24 , destination address – host 10.0.0.100, message type – echo(request). By the way, it is easy to notice that host 10.0.0.100 equivalent 10.0.0.100 0.0.0.0 .We apply this rule to the interface. Router(config)#int fa0/0
   Router(config-if)#ip access-group INT_IN in Well, something like this. Now, if you check the pings, it’s easy to see that everything is working fine. Here, however, one surprise awaits us, which will emerge a little later. I won't reveal it yet. Who guessed it - well done!
2. From the server – we prohibit all echo requests to the internal network (192.168.0.0/24). We define a new named list, INT_OUT, and attach it to the interface closest to the server.
   Router(config)#ip access-list extended INT_OUT
   Router(config-ext-nacl)#deny icmp host 10.0.0.100 192.168.0.0 0.0.0.255 echo
   Router(config-ext-nacl)#exit
   Router(config)#int fa0/1
   Router(config-if)#ip access-group INT_OUT in
   Let me explain what we did. Created an extended access list with the name INT_OUT, disabling the protocol in it icmp with type echo from host 10.0.0.100 per subnet 192.168.0.0/24 and applied to the interface input fa0/1, i.e. closest to the server. We are trying to send ping from the server.
   SERVER>ping 192.168.0.11
   Pinging 192.168.0.11 with 32 bytes of data:
   
   Reply from 10.0.0.1: Destination host unreachable.
   Reply from 10.0.0.1: Destination host unreachable.
   Reply from 10.0.0.1: Destination host unreachable.
   Ping statistics for 192.168.0.11:
   Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
   Well, it seemed to work as it should. For those who don’t know how to send pings, click on the node that interests us, for example, a server. Go to the Desktop tab, there Command Prompt. And now, the promised joke. Try sending a ping from the host, as in the first point. PC>ping 10.0.0.100
   Pinging 10.0.0.100 with 32 bytes of data:
   Request timed out.
   Request timed out.
   Request timed out.
   Request timed out.

   Here's one for you. Everything just worked! Why did it stop? This is the promised surprise. I explain what the problem is. Yes, the first rule has not gone away. It does allow an echo request to be sent to the server node. But where is the permission to pass echo responses? He's gone! We send a request, but we cannot accept a response! Why did everything work before? We didn't have an ACL on the interface back then. fa0/1. And since there is no ACL, then everything is allowed. You will have to create a rule to allow the reception of icmp replies.

   Add to the INT_OUT list

   Let's add the same to the INT_IN list.

   Router(config-ext-nacl)#permit icmp host 10.0.0.100 192.168.0.0 0.0.0.255 echo-reply

   Now don't complain. Everything is going great!

3. We allow WEB access to the server from node *.11. We do the same! Here, however, you need to know a little about how calls occur via Layer 4 protocols (TCP, UDP). The client port is selected arbitrarily > 1024, and the server port is selected corresponding to the service. For WEB, this is port 80 (http protocol). What about the WEB server? By default, the WEB service is already installed on the server, you can see it in the node settings. Make sure there is a check mark. And you can connect to the server by selecting the “Web Browser” shortcut on the “Desktop” of any node. Of course, there will be no access now. Because we have ACLs on the router interfaces, and they do not have any permission rules for access. Well, let's create an INT_IN access list (which is on the interface fa0/0) add the rule: Router(config-ext-nacl)#permit tcp host 192.168.0.11 gt 1024 host 10.0.0.100 eq 80 That is, we allow the TCP protocol from our host (arbitrary port, > 1024) to the server address, HTTP port.

   And, of course, the opposite rule is in the INT_OUT list (which is on the interface fa0/1):

   Router(config-ext-nacl)#permit tcp host 10.0.0.100 eq 80 host 192.168.0.11 established

   That is, we allow TCP from the port 80 servers per host *.11 , and the connection should already be established! Maybe instead established indicate the same GT 1024, will work just as well. But the meaning is a little different.

   Answer in the comments what would be safer?

4. We allow FTP access from a *.13 node to the server. It’s also absolutely nothing complicated! Let’s look at how interaction occurs via the FTP protocol. In the future, I plan to devote a whole series of articles to the work of different protocols, since this is very useful in creating precise (sniper) ACL rules. Well, for now: Server and client actions:+ The client tries to establish a connection and sends a packet (which contains an indication that it will work in passive mode) to port 21 of the server from its port X (X > 1024, free port) + The server sends a response and reports its port number to form a channel data Y (Y > 1024) to client port X, extracted from the TCP packet header.+ The client initiates a communication to transfer data on port X+1 to server port Y (taken from the header of the previous transaction). Something like that. It sounds a little complicated, but you just need to figure it out! Add the rules to the INT_IN list:

   permit tcp host 192.168.0.13 gt 1024 host 10.0.0.100 eq 21
   permit tcp host 192.168.0.13 gt 1024 host 10.0.0.100 gt 1024

   And add rules to the INT_OUT list:

   permit tcp host 10.0.0.100 eq ftp host 192.168.0.13 gt 1024
   permit tcp host 10.0.0.100 gt 1024 host 192.168.0.13 gt 1024

   We check from the command line with the command ftp 10.0.0.100, where we log in using our credentials cisco:cisco(taken from the server settings), enter the command there dir and we will see that the data, as well as the commands, are transmitted successfully.

That's about all that concerns extended access lists.

So, let's look at our rules:

Router#sh access
Extended IP access list INT_IN
permit icmp 192.168.0.0 0.0.0.255 host 10.0.0.100 echo (17 match(es))
permit icmp host 10.0.0.100 192.168.0.0 0.0.0.255 echo-reply
permit tcp host 192.168.0.11 gt 1024 host 10.0.0.100 eq www (36 match(es))
permit tcp host 192.168.0.13 gt 1024 host 10.0.0.100 eq ftp (40 match(es))
permit tcp host 192.168.0.13 gt 1024 host 10.0.0.100 gt 1024 (4 match(es))
Extended IP access list INT_OUT
deny icmp host 10.0.0.100 192.168.0.0 0.0.0.255 echo (4 match(es))
permit icmp host 10.0.0.100 192.168.0.0 0.0.0.255 echo-reply (4 match(es))
permit tcp host 10.0.0.100 eq www host 192.168.0.11 established (3 match(es))
permit tcp host 10.0.0.100 eq ftp host 192.168.0.13 gt 1024 (16 match(es))
permit tcp host 10.0.0.100 gt 1024 host 192.168.0.13 gt 1024 (3 match(es))

The firewall on a Linux system is controlled by the iptables program (for ipv4) and ip6tables (for ipv6). This cheat sheet covers the most common ways to use iptables for those who want to protect their system from hackers or just understand the setup.

The # sign means that the command is executed as root. Open a console with root rights in advance - sudo -i on Debian-based systems or su on others.

1. Show status.

# iptables -L -n -v

Sample command output for an inactive firewall:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt ​​in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt ​​in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes ) pkts bytes target prot opt ​​in out source destination

For an active firewall:

Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt ​​in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 394 43586 ACCEPT all -- * * 0.0. 0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 93 17292 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 1 142 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt ​​in out source destination 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0 .0.0/0 state INVALID 0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0 /0 state RELATED,ESTABLISHED 0 0 wanin all -- vlan2 * 0.0.0.0/0 0.0.0.0/0 0 0 wanout all -- * vlan2 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 425 packets, 113K bytes) pkts bytes target prot opt ​​in out source destination Chain wanin (1 references) pkts bytes target prot opt ​​in out source destination Chain wanout (1 references ) pkts bytes target prot opt ​​in out source destination

Where:
-L: Show list of rules.
-v: Display additional information. This option shows the interface name, options, TOS masks. Also displays the suffixes "K", "M" or "G".
-n: Display the IP address and port as numbers (without using DNS servers to resolve names. This will speed up the display).

2. Display a list of rules with line numbers.

# iptables -n -L -v --line-numbers

Sample output:

Chain INPUT (policy DROP) num target prot opt ​​source destination 1 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) num target prot opt ​​source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID 3 TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 5 wanin all -- 0.0.0.0/0 0.0.0.0/0 6 wanout all -- 0.0.0.0/0 0.0.0.0/0 7 ACCEPT all - - 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt ​​source destination Chain wanin (1 references) num target prot opt ​​source destination Chain wanout (1 references) num target prot opt ​​source destination

You can use line numbers to add new rules.

3. Display the INPUT or OUTPUT rule chain.

# iptables -L INPUT -n -v
# iptables -L OUTPUT -n -v --line-numbers

4. Stop, start, restart the firewall.

By the forces of the system itself:
# service ufw stop
# service ufw start

You can also use iptables commands to stop the firewall and remove all rules:
# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT

Where:
-F: Flush all rules.
-X: Delete the chain.
-t table_name: Select a table (nat or mangle) and remove all rules.
-P: Select default actions (such as DROP, REJECT, or ACCEPT).

5. Delete firewall rules.

To display the line number with existing rules:

# iptables -L OUTPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers | less
# iptables -L OUTPUT -n --line-numbers | grep 202.54.1.1

Let's get a list of IP addresses. Just look at the number on the left and delete the corresponding line. For example, for number 3:
# iptables -D INPUT 3

Or find the source IP address (202.54.1.1) and remove it from the rule:
# iptables -D INPUT -s 202.54.1.1 -j DROP

Where:
-D: Remove one or more rules from the chain.

6. Add a rule to the firewall.

To add one or more rules to a chain, we first display the list using line numbers:
# iptables -L INPUT -n --line-numbers

Sample output:

Chain INPUT (policy DROP) num target prot opt ​​source destination 1 DROP all -- 202.54.1.1 0.0.0.0/0 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED

To insert a rule between lines 1 and 2:
# iptables -I INPUT 2 -s 202.54.1.2 -j DROP

Let's check if the rule has been updated:
# iptables -L INPUT -n --line-numbers

The output will be like this:

Chain INPUT (policy DROP) num target prot opt ​​source destination 1 DROP all -- 202.54.1.1 0.0.0.0/0 2 DROP all -- 202.54.1.2 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0. 0.0/0 state NEW,ESTABLISHED

7. Save the firewall rules.

Via iptables-save:
# iptables-save > /etc/iptables.rules

8. Restoring the rules.

Via iptables-restore
# iptables-restore

9. Set default policies.

To reset all traffic:
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
# iptables -L -v -n

After the above commands, not a single packet will leave this host.
# ping google.com

10. Block only incoming connections.

To drop all incoming packets not initiated by you, but allow outgoing traffic:
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -L -v -n

Outgoing packets and those that were remembered within established sessions are allowed.
# ping google.com

11. Reset addresses of isolated networks on a public network.

# iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP

List of IP addresses for isolated networks:
10.0.0.0/8 -j (A)
172.16.0.0/12 (B)
192.168.0.0/16 (C)
224.0.0.0/4 (MULTICAST D)
240.0.0.0/5 (E)
127.0.0.0/8 (LOOPBACK)

12. Blocking a specific IP address.

To block a 1.2.3.4 attacker's address:
# iptables -A INPUT -s 1.2.3.4 -j DROP
# iptables -A INPUT -s 192.168.0.0/24 -j DROP

13. Block incoming port requests.

To block all incoming requests on port 80:
# iptables -A INPUT -p tcp --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP

To block port 80 request from address 1.2.3.4:
# iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP

14. Block requests to the outgoing IP address.

To block a specific domain, find out its address:
# host -t a facebook.com

Conclusion: facebook.com has address 69.171.228.40

Let's find the CIDR for 69.171.228.40:
#whois 69.171.228.40 | grep CIDR

Conclusion:
CIDR: 69.171.224.0/19

Let's block access to 69.171.224.0/19:
# iptables -A OUTPUT -p tcp -d 69.171.224.0/19 -j DROP

You can also use a domain to block:
# iptables -A OUTPUT -p tcp -d www.facebook.com -j DROP
# iptables -A OUTPUT -p tcp -d facebook.com -j DROP

15. Record the event and reset.

To log the movement of packets before resetting, add a rule:

# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP_SPOOF A: "
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

Let's check the log (by default /var/log/messages):
# tail -f /var/log/messages
# grep -i --color "IP SPOOF" /var/log/messages

16. Record the event and reset (with a limit on the number of records).

To avoid filling the partition with a bloated log, we limit the number of entries using -m. For example, to record a maximum of 7 lines every 5 minutes:
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP_SPOOF A: "
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

16. Reset or allow traffic from certain MAC addresses.

# iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
## *allow only for TCP port # 8080 from mac address 00:0F:EA:91:04:07 * ##
# iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT

17. Allow or deny ICMP Ping requests.

To disable ping:
# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP

Allow for specific networks/hosts:
# iptables -A INPUT -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT

Allow only part of ICMP requests:
### ** assumes default inbound policies are set to DROP ** ###
# iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
## ** allow us to respond to the request ** ##
# iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

18. Open a range of ports.

# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT

19. Open a range of addresses.

## allow connections to port 80 (Apache) if the address is in the range from 192.168.1.100 to 192.168.1.200 ##
# iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT

## example for nat ##
# iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.20-192.168.1.25

20. Close or open standard ports.

Replace ACCEPT with DROP to block the port.

## ssh tcp port 22 ##
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT

## cups (printing service) udp/tcp port 631 for local network ##
iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT

## time sync via NTP for local network (udp port 123) ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT

## tcp port 25 (smtp) ##
iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT

# dns server ports ##
iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

## http/https www server port ##
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

## tcp port 110 (pop3) ##
iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT

## tcp port 143 (imap) ##
iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT

## Samba file server for local network ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

## proxy server for local network ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT

## mysql server for local network ##
iptables -I INPUT -p tcp --dport 3306 -j ACCEPT

21. Limit the number of parallel connections to the server for one address.

For restrictions, the connlimit module is used. To allow only 3 ssh connections per client:
# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT

Set the number of HTTP requests to 20:
# iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP

Where:
--connlimit-above 3: Specifies that the rule only applies if the number of connections exceeds 3.
--connlimit-mask 24: Specifies the network mask.

Help with iptables.

To find help with iptables, use man:
$ man iptables

To view help for specific commands and goals:
# iptables -j DROP -h

Checking the iptables rule.

Checking open/closed ports:
# netstat -tulpn

We check the openness/closedness of a specific port:
# netstat -tulpn | grep:80

Let's check that iptables allows connection to port 80:
# iptables -L INPUT -v -n | grep 80

Otherwise, let's open it to everyone:
# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

Check using telnet
$ telnet ya.ru 80

You can use nmap to check:
$ nmap -sS -p 80 ya.ru

Iptables is a great tool in the hands of an administrator. If you need to easily and simply protect yourself in desktop Ubuntu, then you should know that there is a convenient console add-on for iptables called UFW, and for it there is a graphical program GUFW. Video material will help you make your Ubuntu even more secure.

You can learn how to configure MikroTik in an online course on equipment from this manufacturer. The author of the course is a certified MikroTik trainer. You can read more at the end of the article.

The article answers the question of how dangerous it is to block ICMP traffic.

ICMP is a bone of contention

Many network administrators believe that the Internet Control Message Protocol (ICMP) is a security risk and should therefore always be blocked. It is true that the protocol has some associated security issues, and that some requests should be blocked. But this is not a reason to block all ICMP traffic!

ICMP traffic has many important functions; Some of them are useful for troubleshooting, while others are necessary for the network to function properly. Below are some important parts of the ICMP protocol that you should know about. You should consider how to best route them through your network.

Echo request and and Echo response

IPv4 – Echo request (Type8, Code0) and Echo response (Type0, Code0)
IPv6 – Echo request (Type128, Code0) and Echo response (Type129, Code0)

We all know well that ping is one of the first tools for troubleshooting. Yes, if you enable ICMP packet processing on your hardware, this means that your host is now discoverable, but isn't yours already listening on port 80 and sending responses to client requests? Of course, block these requests as well if you really want your DMZ at the edge of the network. But by blocking ICMP traffic within your network, you will not strengthen your security; on the contrary, you will end up with a system with an unnecessarily complex troubleshooting process (“Please check if the gateway responds to network requests?”, “No, but this doesn’t upset me at all, because I don’t care.” won't say anything!"

Remember, you can also allow requests to go in a certain direction; for example, configure the equipment so that Echo requests from your network go to the Internet and Echo responses from the Internet to your network, but not vice versa.

Packet fragmentation required (IPv4) / Packet too large (IPv6)

IPv4 – (Type3, Code4)
IPv6 – (Type2, Code0)

These components of the ICMP protocol are very important because they are an important component in Path MTU Discovery (PMTUD), which is an integral part of the TCP protocol. Allows two hosts to adjust the TCP Maximum Segment Size (MSS) value to a value that matches the smallest MTU along the communications path between the two destinations. If along the path of the packets there is a node with a smaller Maximum Transmission Unit than the sender or recipient, and they do not have the means to detect this collision, then the traffic will be quietly dropped. And you will not understand what is happening with the communication channel; in other words, “merry days will come for you.”

Don’t Fragment – ​​ICMP will not pass!

Transmitting IPv4 packets with the Don't Fragment bit set (most of them!) or IPv6 packets (remember that there is no fragmentation by routers in IPv6) that are too large to be transmitted through the interface will cause the router to discard the packet and generate response to the transmission source with the following ICMP errors: Fragmentation Required ( Fragmentation Required), or Package Too Large ( Packet Too big). If responses with these errors cannot be returned to the sender, then it will interpret the absence of confirmation responses about the delivery of ACK packets ( Acknowledgment) from the receiver as congestion/loss and the source for retransmission of packets that will also be discarded.

It is difficult to identify the cause of such a problem and quickly resolve it; the TCP handshake process works fine because it involves small packets, but as soon as a bulk data transfer occurs, the transfer session freezes because the source of the transfer does not receive error messages.

Exploring the packet delivery path

RFC 4821 was designed to help network traffic participants circumvent this problem by using packet path exploration (Path MTU Discovery (PLPMTUD). The standard allows you to detect the maximum amount of data (Maximum Transmission Unit (MTU), which can be transmitted by the protocol in one iteration, by gradually increasing the maximum size of the useful data block (Maximum Segment Size (MSS), in order to find the maximum possible size of a packet without fragmenting it along the path from the transmitter to the receiver. This functionality reduces the dependence on timely receipt of error responses via the Internet Control Message Protocol (ICMP) and is available in most network device stacks and client operating systems. Unfortunately, it is not as efficient as directly obtaining data about the maximum possible the size of the transmitted packets. Please allow these ICMP messages to return to the source of transmission, okay?

Packet transmission time exceeded

IPv4 – (Type11, Code0)
IPv6 – (Type3, Code0)

Traceroute is a very useful tool for troubleshooting network connections between two hosts, detailing each step of the path.

Sends a packet with the data packet lifetime for the IP protocol (Time to live (TTL) equal 1 to have the first router send an error message (including its own IP address) that the packet has exceeded its time to live. Then it sends a packet with TTL 2 and so on. This procedure is necessary in order to detect each node along the packet path.

NDP and SLAAC (IPv6)

Router Solicitation (RS) (Type133, Code0)
Router Advertisement (RA) (Type134, Code0)
Neighbor Solicitation (NS) (Type135, Code0)
Neighbor Advertisement (NA) (Type136, Code0)
Redirect (Type137, Code0)

While IPv4 used Address Resolution Protocol (ARP) to map layers 2 and 3 of the OSI network model, IPv6 uses a different approach in the form of Neighbor Discovery Protocol (NDP). NDP provides many features including router discovery, prefix discovery, address resolution, and more. In addition to NDP, StateLess Address AutoConfiguration (SLAAC) allows you to dynamically configure a host on a network, similar to the concept of the Dynamic Host Configuration Protocol (DHCP) (though DHCPv6 is intended for more granular control).

These five types of ICMP messages must not be blocked within your network (ignoring the outside perimeter) for the IP data transfer protocol to function correctly.

ICMP Type Numbering

The Internet Control Message Protocol (ICMP) contains many messages that are identified by the "type" field.

A few words about speed limits

While ICMP messages like the ones described in this article can be very useful, remember that generating all of these messages takes up CPU time on your routers and generates traffic. Do you really expect that you will get 1000 pings per second through your firewall in a normal situation? Will this be considered normal traffic? Probably not. Limit network bandwidth for these types of ICMP traffic as you see fit; this step can help you secure your network.

Read, Research and Understand

Considering that discussing the topic of “to block or not to block” ICMP packets always leads to confusion, disputes and disagreements, I suggest continuing to study this topic on your own. I have provided many links on this page; I believe that for a more complete understanding of the issues, you should spend time reading them. And make informed choices about what works best for your network.

MikroTik: where to click to make it work?
For all its advantages, MikroTik products have one drawback - there is a lot of scattered and not always reliable information about its configuration. We recommend a trusted source in Russian, where everything is collected, logically and structured - video course “ Setting up MikroTik equipment" The course includes 162 video lessons, 45 laboratory works, self-test questions and notes. All materials remain with you indefinitely. You can watch the beginning of the course for free by leaving a request on the course page. The author of the course is a certified MikroTik trainer.

Blocking ping responses in the OS can prevent ICMP packet flooding attacks, but most systems use this service for online monitoring (system monitoring). In my topic “Block Ping (ICMP) responses in Unix/Linux” I will tell you how you can still turn it off.

Blocking PING to a server is useful if the server is constantly facing some kind of DoS attack using the PING function. When using IPTables, we can simply stop blocking the passage of ICMP packets (actually, block PING) to the server. Before starting this, you need to have an idea of ​​what Iptables are in Linux. Iptables is a firewall system with a set of rules that controls incoming and outgoing packets. By default, Iptables works without any rules, you can create, add, edit rules.

Disabling Ping using iptables

An explanation of some of the parameters in iptables that are needed to create ICMP packet control rules:

A: Adds rules.
-D: Removes the rule from the table.
-p: Option to specify the protocol (where 'icmp').
--icmp-type: Option to specify the type.
-J: Go to chain.

Below, I will give clear examples.

How to block PING on a server with error messages?
Thus, you can partially block PING with the error message “Destination Port Unreachable”. Add the following Iptables rules to block PING with an error message:

# iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT

Block PING on the server without any error messages.
To do this, use the command for IPtabels:

# iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP # iptables -A INPUT -p icmp --icmp-type echo-reply -j DROP

Blocks all incoming and outgoing ICMP packets on the server.

Allow Ping using iptables

If you blocked ping on the server and don’t know how to get it back. Now I’ll tell you how to do it. This is done by adding the following rule to IPtables:

# iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

These rules will allow the passage of ICMP packets from and to the server.

Blocking Ping with Kernel Parameters

We can also block ping responses directly with kernel parameters. You can block ping replies temporarily or permanently and below shows how to do this.

Temporarily block Ping
You can temporarily block ping replies using the following command

# echo "1" >

To unblock this command, run the following:

# echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all

Deny Ping altogether
You can block ping responses by adding the following parameter to the configuration file:

# vim /etc/sysctl.conf

And write:

[...] net.ipv4.icmp_echo_ignore_all = 1 [...]

sysctl is used to change kernel parameters at runtime, one of these parameters could be "ping daemon", if you want to disable ping then you just have to do something like:

# sysctl -w net.ipv4.icmp_echo_ignore_all=1

Now try to ping the machine, there are no responses, right? To re-enable ping, use:

# sysctl -w net.ipv4.icmp_echo_ignore_all=0

The W flag is used if you want to change some settings.

Now run the following command to immediately apply the settings without rebooting the system:

# sysctl -p

# sysctl --system

Here is my full config:

# cd /usr/local/src && wget http://site/wp-content/uploads/files/sysctl_conf.txt

and then you can do:

# cp /usr/local/src/sysctl_conf.txt /etc/sysctl.conf

That's all for me, the topic “Block Ping (ICMP) responses in Unix/Linux” is completed.

How can I configure computers running Windows 2000/XP/2003 to block Ping packets? Windows 2000/XP/2003 has a built-in IP security mechanism called IPSec (IP Security). IPSec is a protocol designed to protect individual TCP/IP packets as they are transmitted over a network.

However, we will not go into detail about the functioning and design of IPsec, because in addition to encryption, IPSec can also protect your server or workstation with a mechanism similar to a firewall.

Blocking PING on a single computer

To block all PING packets from and to a computer, we need to create an IPSec policy that will block all ICMP traffic. First, check if your computer responds to ICMP requests:

To set up a single computer we need to follow these steps:

Let's configurelist of IP Filter Lists and Filter Actions

1. Open an MMC window (Start > Run > MMC).
2. Add the IP Security and Policy Management snap-in.

1. Select which computer will be controlled by this policy - in our case it is a local computer. Click Close, then click Ok.

1. Right-click on IP Security Policies in the left half of the MMC console. Select Manage IP Filter Lists and Filter Actions.

1. You do not need to configure or create an IP filter for ICMP (the protocol in which PING works), since such a filter already exists by default - All ICMP Traffic.

However, you can configure an arbitrarily complex IP filter, for example, prohibit pinging your computer from all IPs, except for a few specific ones. In one of the next articles on IPSec, we will take a closer look at creating IP filters, stay tuned.

1. In the Manage IP Filter Lists and Filter actions window, review your filters and if everything is in order, click on the Manage Filter Actions tab. Now we need to add a filter action that will block certain traffic, click Add.

1. In the first welcome window, click Next.
2. In the Filter Action Name field, enter Block and click Next.

1. In Filter Action General Options, select Block, then click Next.

1. Go back to the Manage IP Filter Lists and Filter actions window and review your filters and if everything is ok, click Close. You can add filters and filter actions at any time.

The next step is to configure the IPSec policy and apply it.

Configuring the IPSe policy

1. In the same MMC console, right-click on IP Security Policies and select Create IP Security Policy.

1. Skip the wizard's greeting by clicking Next.
2. In the IP Security Policy Name field, enter a name appropriate to the case, for example “Block PING”. Click Next

1. In the Secure Connection Requests window, uncheck the Active the Default Response Rule checkbox. Click Next

1. Check the Edit properties checkbox and click Finish.

1. We need to add IP filters and filter actions to the new IPSec policy. In the New IPSec Policy window, click Add

1. Click Next.
2. In the Tunnel Endpoint window, make sure the default value is selected and click Next.