# July 2013-era recommendations for filtering ICMP messages from an IETF WG. # (Table updated by JEH, but mostly based on # https://tools.ietf.org/html/draft-ietf-opsec-icmp-filtering-04) # +-------------------------------+----------+-----------+------------+ # | ICMPv4 Message | Sourced | Through | Destined | ICMP # | | from | Device | to Device | Type/Code # | | Device | | | # +-------------------------------+----------+-----------+------------+ # | ICMPv4-unreach-net | Rate-L | Rate-L | Rate-L | 3/0 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-unreach-host | Rate-L | Rate-L | Rate-L | 3/1 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-unreach-proto | Rate-L | Deny | Rate-L | 3/2 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-unreach-port | Rate-L | Deny | Rate-L | 3/3 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-unreach-frag-needed | Send | Permit | Rate-L | 3/4 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-unreach-src-route | Rate-L | Deny | Rate-L | 3/5 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-unreach-net-unknown | Deny | Deny | Deny | 3/6 # | (Depr) | | | | # +-------------------------------+----------+-----------+------------+ # | ICMPv4-unreach-host-unknown | Rate-L | Deny | Ignore | 3/7 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-unreach-host-isolated | Deny | Deny | Deny | 3/8 # | (Depr) | | | | # +-------------------------------+----------+-----------+------------+ # | ICMPv4-net-admin-prohib | Deny | Deny | Deny | 3/9 # | (Depr) | | | | # +-------------------------------+----------+-----------+------------+ # | ICMPv4-host-admin-prohib | Deny | Deny | Deny | 3/10 # | (Depr) | | | | # +-------------------------------+----------+-----------+------------+ # | ICMPv4-unreach-net-tos | Rate-L | Deny | Rate-L | 3/11 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-unreach-host-tos | Rate-L | Deny | Rate-L | 3/12 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-unreach-admin | Rate-L | Rate-L | Rate-L | 3/13 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-unreach-prec-violation | Rate-L | Rate-L | Rate-L | 3/14 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-unreach-prec-cutoff | Rate-L | Rate-L | Rate-L | 3/15 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-quench | Deny | Deny | Deny | 4/0 # | (Depr) | | | | # +-------------------------------+----------+-----------+------------+ # | ICMPv4-redirect-net | Rate-L | Deny | Rate-L | 5/0 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-redirect-host | Rate-L | Deny | Rate-L | 5/1 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-redirect-tos-net | Rate-L | Deny | Rate-L | 5/2 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-redirect-tos-host | Rate-L | Deny | Rate-L | 5/3 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-timed-ttl | Rate-L | Permit | Rate-L | 11/0 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-timed-reass | Rate-L | Permit | Rate-L | 11/1 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-parameter-pointer | Rate-L | Rate-L | Rate-L | 12/0 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-option-missing | Rate-L | Rate-L | Rate-L | 12/1 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-req-echo-message | Rate-L | Permit | Rate-L | 8/0 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-req-echo-reply | Rate-L | Permit | Rate-L | 0/0 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-req-router-sol | Rate-L | Deny | Rate-L | 10/0 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-req-router-adv | Rate-L | Deny | Rate-L | 9/0 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-req-timestamp-message | Rate-L | Deny | Rate-L | 13/0 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-req-timestamp-reply | Rate-L | Deny | Rate-L | 14/0 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-info-message | Deny | Deny | Deny | 15/0 # | (Depr) | | | | # +-------------------------------+----------+-----------+------------+ # | ICMPv4-info-reply | Deny | Deny | Deny | 16/0 # | (Depr) | | | | # +-------------------------------+----------+-----------+------------+ # | ICMPv4-mask-request | Rate-L | Deny | Rate-L | 17/0 # +-------------------------------+----------+-----------+------------+ # | ICMPv4-mask-reply | Rate-L | Deny | Rate-L | 18/0 # +-------------------------------+----------+-----------+------------+ # # Rate limiting: # RFC 1812 (https://tools.ietf.org/html/rfc1812#section-4.3.2.8) # provides only vague guidance. # # The IPv6 ICMP RFC 4443 (https://tools.ietf.org/html/rfc4443) says: # Rate-limiting of forwarded ICMP messages is out of scope of this # specification. # # A recommended method for implementing the rate-limiting function # is a token bucket, limiting the average rate of transmission to # N, where N can be either packets/second or a fraction of the # attached link's bandwidth, but allowing up to B error messages to # be transmitted in a burst, as long as the long-term average is # not exceeded. # # Rate-limiting mechanisms that cannot cope with bursty traffic # (e.g., traceroute) are not recommended; for example, a simple # timer-based implementation, allowing an error message every T # milliseconds (even with low values for T), is not reasonable. # # The rate-limiting parameters SHOULD be configurable. In the case # of a token-bucket implementation, the best defaults depend on # where the implementation is expected to be deployed (e.g., a # high-end router vs. an embedded host). For example, in a # small/mid-size device, the possible defaults could be B=10, # N=10/s. # # linux rate limits ICMP by default for locally generated and received messages, # so we just use those for sending / receiving ICMP. # Forwarding ICMP rates are very network dependent. #The input/output ICMP filtering rules # # iptables -N HOSTICMPFILTER iptables -A HOSTICMPFILTER -p icmp --icmp-type 3/0 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 3/1 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 3/2 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 3/3 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 3/4 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 3/5 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 3/7 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 3/11 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 3/12 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 3/13 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 3/14 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 3/15 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 5/0 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 5/1 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 5/2 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 5/3 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 11/0 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 11/1 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 12/0 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 12/1 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 8/0 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 0/0 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 10/0 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 9/0 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 13/0 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 14/0 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 17/0 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp --icmp-type 18/0 -j ACCEPT iptables -A HOSTICMPFILTER -p icmp -j DROP #the forward ICMP filtering rule iptables -N NETICMPFILTER iptables -A NETICMPFILTER -p icmp --icmp-type 3/0 -j ACCEPT iptables -A NETICMPFILTER -p icmp --icmp-type 3/1 -j ACCEPT iptables -A NETICMPFILTER -p icmp --icmp-type 3/4 -j ACCEPT iptables -A NETICMPFILTER -p icmp --icmp-type 3/13 -j ACCEPT iptables -A NETICMPFILTER -p icmp --icmp-type 3/14 -j ACCEPT iptables -A NETICMPFILTER -p icmp --icmp-type 3/15 -j ACCEPT iptables -A NETICMPFILTER -p icmp --icmp-type 11/0 -j ACCEPT iptables -A NETICMPFILTER -p icmp --icmp-type 11/1 -j ACCEPT iptables -A NETICMPFILTER -p icmp --icmp-type 12/0 -j ACCEPT iptables -A NETICMPFILTER -p icmp --icmp-type 12/1 -j ACCEPT iptables -A NETICMPFILTER -p icmp --icmp-type 8/0 -j ACCEPT iptables -A NETICMPFILTER -p icmp --icmp-type 0/0 -j ACCEPT iptables -A NETICMPFILTER -p icmp -j DROP