Mailing List Archive: iptables: User

icmp-type question

Index | Next | Previous | View Threaded

ross.cameron at linuxpro

Jun 27, 2007, 9:27 AM

Post #1 of 5 (1233 views)
Permalink

icmp-type question

Hi there list,...

I need to block all
timestamp-request and
timestamp-reply

On eth0 (Inet facing fast ethernet segment on a multi homed Linux
router) but not on eth1 (LAN facing range).

Ive played with it a bit but cant get it to behave,.. I can
selectively filter all other ICMP correctly.
Its been 4weeks of playing and googling and im at my wits end! Plz help.

Ciao ciao and many thanks
Ross

xktnniuymlla at mailinator

Jun 27, 2007, 10:09 AM

Post #2 of 5 (1163 views)
Permalink

Re: icmp-type question [In reply to]

Ross Cameron wrote:
> Hi there list,...
>
> I need to block all
> timestamp-request and
> timestamp-reply
>
> On eth0 (Inet facing fast ethernet segment on a multi homed Linux
> router) but not on eth1 (LAN facing range).
>

I don't know how to test this so here's a guess. Hope it works.

Drop requests from the internet:
iptables -A input -p icmp --icmp-type timestamp-request -i eth0 -j DROP

My thought is that if no timestamp requests are accepted no timestamp
replies would be generated. In case that's an invalid assumption you
could also filter the output chain.

...and drop answers to the internet:
iptables -A output -p icmp --icmp-type timestamp-reply -o eth0 -j DROP

Depending on what else you are doing you may need matching rules in your
forward chains, too.

:m)

gtaylor at riverviewtech

Jun 27, 2007, 12:16 PM

Post #3 of 5 (1164 views)
Permalink

Re: icmp-type question [In reply to]

On 6/27/2007 12:09 PM, Mike Wright wrote:
> My thought is that if no timestamp requests are accepted no timestamp
> replies would be generated. In case that's an invalid assumption you
> could also filter the output chain.

*nod*

> Depending on what else you are doing you may need matching rules in your
> forward chains, too.

This is why a (sub)chain to do the filtering is nice. Jump to the same
(sub)chain from both filter:INPUT and filter:FORWARD and return out of
it with any traffic that passes back to the rule after the one that
jumped in to it. Just have your (sub)chain DROP the packet if it does
match and allow all non-matching traffic to fall off the end and RETURN.
Seeing as how it is a (sub)chain, I don't think you can set a policy
of RETURN and you would have to create a rule to RETURN, but this is a
non-issue.

Grant. . . .

ross.cameron at linuxpro

Jun 28, 2007, 12:48 AM

Post #4 of 5 (1158 views)
Permalink

Re: icmp-type question [In reply to]

On 27/06/07, Grant Taylor <gtaylor [at] riverviewtech> wrote:
> On 6/27/2007 12:09 PM, Mike Wright wrote:
> > Depending on what else you are doing you may need matching rules in your
> > forward chains, too.
>
> This is why a (sub)chain to do the filtering is nice. Jump to the same
> (sub)chain from both filter:INPUT and filter:FORWARD and return out of
> it with any traffic that passes back to the rule after the one that
> jumped in to it. Just have your (sub)chain DROP the packet if it does
> match and allow all non-matching traffic to fall off the end and RETURN.
> Seeing as how it is a (sub)chain, I don't think you can set a policy
> of RETURN and you would have to create a rule to RETURN, but this is a
> non-issue.

How do you create sub-chains?
I've heard the term before but never found an example that uses it.

Many thanks for all the advice guys.

max at rfc2324

Jun 28, 2007, 3:26 AM

Post #5 of 5 (1147 views)
Permalink

Re: icmp-type question [In reply to]

Am Thursday, den 28 June hub Ross Cameron folgendes in die Tasten:

[filter icmp timestamp-*]

> How do you create sub-chains?
> I've heard the term before but never found an example that uses it.

This is a simple task:

iptables -N yourChainName

For your problem:

iptables -N icmp_timestamp
iptables -A icmp_timestamp -p icmp --icmp-type timestamp-request -j REJECT --reject-with icmp-admin-prohibited
iptables -A icmp_timestamp -p icmp --icmp-type timestamp-reply -j REJECT --reject-with icmp-admin-prohibited

iptables -A INPUT -i eth0 -p icmp -j icmp_timestamp
iptables -A OUTPUT -o eth0 -p icmp -j icmp_timestamp

(The interesting question here might be if it is wise to put these two
simple rules in a subchain when thinking about rule processing
speed.)

HTH
Ciao
Max
--
Follow the white penguin.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads