icmp-type question

icmp-type question

[Ross Cameron]

Hi there list,...

I need to block all
     timestamp-request      and
     timestamp-reply

On eth0 (Inet facing fast ethernet segment on a multi homed Linux
router) but not on eth1 (LAN facing range).

Ive played with it a bit but cant get it to behave,.. I can
selectively filter all other ICMP correctly.
Its been 4weeks of playing and googling and im at my wits end! Plz help.

Ciao ciao and many thanks
Ross

Re: icmp-type question

[Mike Wright]

Ross Cameron wrote:
> Hi there list,...
> 
> I need to block all
>     timestamp-request      and
>     timestamp-reply
> 
> On eth0 (Inet facing fast ethernet segment on a multi homed Linux
> router) but not on eth1 (LAN facing range).
>

I don't know how to test this so here's a guess.  Hope it works.

Drop requests from the internet:
iptables -A input -p icmp --icmp-type timestamp-request -i eth0 -j DROP

My thought is that if no timestamp requests are accepted no timestamp 
replies would be generated.  In case that's an invalid assumption you 
could also filter the output chain.

...and drop answers to the internet:
iptables -A output -p icmp --icmp-type timestamp-reply -o eth0 -j DROP

Depending on what else you are doing you may need matching rules in your 
forward chains, too.

:m)

Re: icmp-type question

[Grant Taylor]

On 6/27/2007 12:09 PM, Mike Wright wrote:
> My thought is that if no timestamp requests are accepted no timestamp 
> replies would be generated.  In case that's an invalid assumption you 
> could also filter the output chain.

*nod*

> Depending on what else you are doing you may need matching rules in your 
> forward chains, too.

This is why a (sub)chain to do the filtering is nice.  Jump to the same 
(sub)chain from both filter:INPUT and filter:FORWARD and return out of 
it with any traffic that passes back to the rule after the one that 
jumped in to it.  Just have your (sub)chain DROP the packet if it does 
match and allow all non-matching traffic to fall off the end and RETURN. 
  Seeing as how it is a (sub)chain, I don't think you can set a policy 
of RETURN and you would have to create a rule to RETURN, but this is a 
non-issue.



Grant. . . .

Re: icmp-type question

[Ross Cameron]

On 27/06/07, Grant Taylor <gtaylor@riverviewtech.net> wrote:
> On 6/27/2007 12:09 PM, Mike Wright wrote:
> > Depending on what else you are doing you may need matching rules in your
> > forward chains, too.
>
> This is why a (sub)chain to do the filtering is nice.  Jump to the same
> (sub)chain from both filter:INPUT and filter:FORWARD and return out of
> it with any traffic that passes back to the rule after the one that
> jumped in to it.  Just have your (sub)chain DROP the packet if it does
> match and allow all non-matching traffic to fall off the end and RETURN.
>   Seeing as how it is a (sub)chain, I don't think you can set a policy
> of RETURN and you would have to create a rule to RETURN, but this is a
> non-issue.

How do you create sub-chains?
I've heard the term before but never found an example that uses it.

Many thanks for all the advice guys.

Re: icmp-type question

[Maximilian Wilhelm]

Am Thursday, den 28 June hub Ross Cameron folgendes in die Tasten:

[filter icmp timestamp-*]

> How do you create sub-chains?
> I've heard the term before but never found an example that uses it.

This is a simple task:

 iptables -N yourChainName

For your problem:

 iptables -N icmp_timestamp
 iptables -A icmp_timestamp -p icmp --icmp-type timestamp-request -j REJECT --reject-with icmp-admin-prohibited
 iptables -A icmp_timestamp -p icmp --icmp-type timestamp-reply -j REJECT --reject-with icmp-admin-prohibited
 
 iptables -A INPUT -i eth0 -p icmp -j icmp_timestamp
 iptables -A OUTPUT -o eth0 -p icmp -j icmp_timestamp

(The interesting question here might be if it is wise to put these two
 simple rules in a subchain when thinking about rule processing
 speed.)

HTH
Ciao
Max
-- 
	Follow the white penguin.