ICMP filter on Router?

From:
Date: 09/25/02 

Date: Wed, 25 Sep 2002 03:21:15 +0100

Hi,

I'm just starting to set up a firewall on my Linux box, and I've run
into a problem.

I want to set up an ICMP filter, but can't do it using software, because
my router doesn't forward ICMP requests to ipchains.

I can construct basic TCP filters on the Router, but when it comes to
the (so called) "Generic" filters, I haven't got a clue.

Here's what I've got just now:

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
:input ACCEPT
:forward ACCEPT
:output ACCEPT
# -A input -s 0/0 -d 0/0 80 -p tcp -y -l -j ACCEPT # http
# -A input -s 0/0 -d 0/0 21 -p tcp -y -l -j ACCEPT # ftp
-A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth0 -j ACCEPT
-A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth1 -j ACCEPT
# Syslog
-A input -s 192.168.0.1/255.255.255.0 -d 192.168.0.2/255.255.255.0 514
-p udp -i eth0 -j ACCEPT
# loop
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT
-A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
# socks
-A input -p tcp -s 0/0 -d 0/0 1080 -j REJECT
-A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT
-A input -p udp -s 0/0 -d 0/0 2049 -j REJECT
# UPnP
-A input -p tcp -s 0/0 -d 0/0 5000 -y -j REJECT
-A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT
-A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT
-A input -p tcp -s 0/0 -d 0/0 8080 -j REJECT
# Trojans
-A input -p tcp -s 0/0 -d 0/0 1243 -j REJECT
-A input -p tcp -s 0/0 -d 0/0 1999 -j REJECT
-A input -p tcp -s 0/0 -d 0/0 6776 -j REJECT
-A input -p tcp -s 0/0 -d 0/0 7789 -j REJECT
-A input -p tcp -s 0/0 -d 0/0 12345 -j REJECT
-A input -p tcp -s 0/0 -d 0/0 31337 -j REJECT
-A input -p tcp -s 0/0 -d 0/0 54320 -j REJECT
-A input -p tcp -s 0/0 -d 0/0 54321 -j REJECT
# ICMP ( Ping - Pong )
# -A input -p icmp -icmp-type echo-request -s 0/255.255.255.0 -j ALLOW
# -A input -p icmp -icmp-type echo-request -j DENY

I commented out the icmp stuff because, of course, it wont work. Instead
I have this on the Router:

                         Menu 21.3 - Filter Rules Summary

# A Type Filter Rules
  M m n
- - - --------------------------------------------------
1 Y IP Pr=0, SA=0.0.0.0, DA=0.0.0.0 Y D N
2 Y IP Pr=1, SA=0.0.0.0, DA=0.0.0.0 N F N
3 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP>1023 N F N
4 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP>1023 N F N
5 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=53 N F N
6 N IP Pr=0, SA=0.0.0.0, DA=0.0.0.0 N N N

Rule 2, is the important one. The details page looks like this:

                          Menu 21.3.2 - TCP/IP Filter Rule

                     Filter #: 3,2
                     Filter Type= TCP/IP Filter Rule
                     Active= Yes
                     IP Protocol= 1 IP Source Route= No
                     Destination: IP Addr= 0.0.0.0
                                  IP Mask= 0.0.0.0
                                  Port #=
                                  Port # Comp= None
                          Source: IP Addr= 0.0.0.0
                                  IP Mask= 255.255.255.0
                                  Port #=
                                  Port # Comp= None
                     TCP Estab= N/A
                     More= No Log= None
                     Action Matched= Forward
                     Action Not Matched= Check Next Rule

And so on through the rest of the chain, until remote icmp packets get
dropped. However, I don't want to filter all icmp, just the pings, but
unfortunately the Router doesn't allow for that in "simple" mode. To
construct that kind of filter, I need to create a proper packet
filtering rule ... like this:

                         Menu 21.4 - Filter Rules Summary

# A Type Filter Rules
  M m n
- - - --------------------------------------------------
1 Y Gen Off=2, Len=2, Mask=ffff, Value=0021 N N F
2 Y Gen Off=4, Len=1, Mask=ff, Value=45 N N D
3 Y Gen Off=13, Len=1, Mask=ff, Value=06 N F N
4 Y Gen Off=13, Len=1, Mask=ff, Value=11 N F N
5 N
6 N

And don't ask me what it means, 'cos I haven't got a clue. I just copied
this from http://www.vex.net/~wadialix/security/netgear.html and it
doesn't work.

Can someone please help me out here? I need to know how to construct a
basic icmp echo-request filter using the above format .. whatever *that* is.

I want to allow all outgoing icmp originating from my network, but deny
echo-requests from everywhere else.

TIA,

[H]omer.

PS - The Router's a Netgear RT338 ISDN model, and the manual is crap.

Relevant Pages

  • Re: Strange PPPoe problem
    ... The new service uses PPPoe - not a problem, or so I thought - I ... have PPPoe on my firewall. ... And if I do PPPoe on the provided D-Link router, ... like icmp 3/4 packets are being dropped somewhere. ...
    (Debian-User)
  • Re: Help - Tried almost everything!
    ... I looked it up in the firewall codes and it is a ... >>Then it is probably ICMP type 10 Router Solicitation: ... but this is just an ICMP packet that's sent ...
    (microsoft.public.security)
  • Re: Help - Tried almost everything!
    ... >Then it is probably ICMP type 10 Router Solicitation: ... After the packet is sent, ... >|>>installed the Firewall after I suspected a problem ...
    (microsoft.public.security)
  • Re: Linksys Router emitting ICMP when sending e-mail attachment hangs e-mail send
    ... > I have several WIN98SE PCs on a Peer-to-peer LAN connected through a ... > e-mail has an attachment, however, I get back an ICMP message from the ... > Is this normal behavior for the router in an e-mail attachment ... you'd have no need for a software firewall. ...
    (comp.security.firewalls)
  • Re: ICMP filter on Router?
    ... >> I'm just starting to set up a firewall on my Linux box, ... >> because my router doesn't forward ICMP requests to ipchains. ... > and setup what you need with iptables/ipchains on your linux box. ... For some reason the Router replies to icmp independently, ...
    (comp.security.firewalls)