by A J Kenned » Tue, 17 Apr 2001 11:38:01
I would liked to know the process via ipchains to filter icmp
requests to & from my machine. I nessus scan returns the following info
Solution : filter out the icmp timestamp
requests (13), and the outgoing icmp
timestamp replies (14).
I have looked up info on this but i couldnt find alot. Ideally i would like
to be able to ping my machnie from internal 192.x.x.x network & from my work
machine.
--
Regards...
Andrew
by Tr?ütm » Tue, 17 Apr 2001 13:37:25
http://muse.linuxmafia.org/lost+found/icmp-types.htmlQuote:>Solution : filter out the icmp timestamp
>requests (13), and the outgoing icmp
>timestamp replies (14).
>I have looked up info on this but i couldnt find alot. Ideally i would
>like to be able to ping my machnie from internal 192.x.x.x network &
>from my work machine.
From the ipchains man page:
-s, --source [!] address[/mask] [!] [port[:port]]
Source specification. Address can be either a hostname, a
network name, or a plain IP address. The mask can be
either a network mask or a plain number, specifying the
number of 1's at the left side of the network
mask. Thus, a mask of 24 is equivalent to 255.255.255.0.
A "!" argument before the address specification inverts the
sense of the address. The source may include a port
specification or ICMP type. This can either be a service
name, a port number, a numeric ICMP type, or one of
the ICMP type names shown by the command
ipchains -h icmp Note that many of these ICMP names refer
to both a type and code, meaning that an ICMP code after
the -d flag is illegal. In the rest of this paragraph,
a port means either a port specification or an
ICMP type. An inclusive range is can also be specified,
using the format port:port. If the first port is omitted,
"0" is assumed; if the last is omitted, "65535" is assumed.
Ports may only be specified in combination with the tcp,
udp, or icmp protocols. A "!" before the port
specification inverts the sense. When the check command is
specified, exactly one port is required, and if the
-f (fragment) flag is specified, no ports are allowed. The
flag --src is a convenience alias for this option.
HTH
--
______________________________
Mike Troutman
http://www.troutman.org
http://www.zen-data.com
by Manfred Bart » Tue, 17 Apr 2001 14:44:48
I use the script below, modify to suit.Quote:> I would liked to know the process via ipchains to filter icmp
> requests to & from my machine. I nessus scan returns the following
> info
> Solution : filter out the icmp timestamp
> requests (13), and the outgoing icmp
> timestamp replies (14).
> I have looked up info on this but i couldnt find alot. Ideally i
> would like to be able to ping my machnie from internal 192.x.x.x
> network & from my work machine.
# allow useful ICMP packets
for t in echo-reply \
destination-unreachable \
time-exceeded \
parameter-problem
do
ipchains -A ICMPpkts $IFINET -p icmp --icmp-type $t -j ACCEPT
done
# heartbeat from x.y.com, 1 every 10 minutes
ipchains -A ICMPpkts $IFINET -p icmp --icmp-type echo-request \
-s x.x.x.x -j DENY -l
# other pings, drop without logging
ipchains -A ICMPpkts $IFINET -p icmp --icmp-type echo-request \
-j DENY
# deny all remaining ICMP packets
ipchains -A ICMPpkts $IFINET -j DENY -l
--
Manfred
---------------------------------------------------------------
ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>
NEW: <http://logi.cc/linux/NetfilterLogAnalyzer.php3>
by Davi » Tue, 17 Apr 2001 15:29:46
> Hello,
> I would liked to know the process via ipchains to filter icmp
> requests to & from my machine. I nessus scan returns the following info
> Solution : filter out the icmp timestamp
> requests (13), and the outgoing icmp
> timestamp replies (14).
> I have looked up info on this but i couldnt find alot. Ideally i would like
> to be able to ping my machnie from internal 192.x.x.x network & from my work
> machine.
> --
> Regards...
> Andrew
# ICMP TIMESTAMP OUTBOUND ------------------------------
# Do NOT reply to ICMP TIMESTAMP packets (type 13 and 14) (this can help
# stop OS fingerprinting) $EXTERNALIP
#
echo " Optional parameter: ICMP TIMESTAMP outbound filtered"
ipchains -A output -j REJECT -i $EXTDEV -p icmp -s $EXTERNALIP -d
$ANYWHERE --icmp-type timestamp-request -l
ipchains -A output -j REJECT -i $EXTDEV -p icmp -s $EXTERNALIP -d
$ANYWHERE --icmp-type timestamp-reply -l
--
Confucius say: He who play in root, eventually kill tree.
Registered with the Linux Counter. http://counter.li.org
ID # 123538
Completed more W/U's than 99.162% of seti users. +/- 0.01%
1. ipchains - blocking outgoing ICMP/UDP
Hello,
I run a public shell box and I want to prevent my users from launching a
denial of service attack from my server. Would blocking outgoing ICMP and
UDP do any good? What types of ICMP can I block without running into
problems other than type 3, echo request?
I really don't need UDP as I run no UDP services and I hear UDP also has
echo requests.
Also, What types of ICMP can I block incoming to me other than type 3
without running into problems?
Also, is there a way to prevent spoofed packets from going outbound?
Is there a better way to defend against SYN floods other than using SYN
cookies?
Would iptables do a better job of what I need rather than ipchains? The
firewall will be used to defend the computer it runs on, no masquerdaing or
network behind it.
Any help would be appreciated.
- Krish
--
I have not failed 10,000 times. I have successfully found 10,000 ways that
will not work. --Thomas A. Edison
2. interrupt handling, PLEASE HELP!
3. How to block ICMP redirects using ipchains
6. Netscape
7. Blocking icmp with IPCHAINS!!
8. Using multiple hardrives as one partition.
9. ipchains: icmp "port" 8 to "port" 0
10. "ICMP: failed checksum", IPCHAINS and p2p
11. ipchains: masq internal ICMP but deny ext?
12. ICMP, IPChains and logging
13. Help needed w/ Ipchains & ICMP blocking