How to disable ICMP and ICMPv6 redirects in Linux


Security, Linux

In this tutorial we will learn how to disable ICMP and ICMPv6 redirects on the Linux server. ICMP redirects are used on routers so if your Linux server is not acting as a router then as a general security practice it is recommended to disable the redirects. Even if your Linux server is acting as a router with forwarding turned ON, you can disable ICMP redirects on selective interface using kernel parameters (sysctl).

 

1. What are ICMP redirects

  • An ICMP redirect packet is generated by a router to inform a host of a better route to some specific destination.
  • The recipient of an ICMP redirect overrides its route table with the information given in the redirect packet.
  • Redirects are only required when a non-default router is preferred for some particular peer addresses, and this knowledge is not hard-configured on the system.
  • The default router will then be initially attempted for sends to those peers and, if it supports redirects, it will respond with one naming the alternate router.
  • It may or may not also forward the original packet.
  • If this system accepts redirects it uses the information given to create a temporary routing entry for the alternate router.
  • The advantage of such a configuration is that the knowledge of the network architecture and the required routers need be maintained on only a relatively few systems - the routers that are default-router for each subnet, rather than all client systems on all subnets.
  • The disadvantage is that malicious systems could send redirects to manipulate other systems.

 

2. How to disable ICMP redirects for IPv4

There are two methods to ignore ICMP requests. The below section covers only IPv4 network.

2.1 Using firewall rule

We can add a rule with firewalld to block all the TCMP redirects. First of all get the list of active zones

# firewall-cmd --get-active-zones
public
  interfaces: eth0 eth1

So in my case I am only using the default public zone which has both my interface so I will apply my firewalld rules to this zone.

# firewall-cmd --permanent --add-icmp-block=redirect --zone=public

Next reload the rules

# firewall-cmd --reload

List and verify the rule

Disable ICMP redirect
Disable ICMP redirect with firewalld

 

2.2 Using kernel parameters (sysctl)

If your Linux server is acting as a router with forwarding enabled, you can choose to disable ICMP redirect on all or selected interface.

To disable ICMP redirect on all the interface

net.ipv4.conf.all.accept_redirects=0

To disable ICMP redirects on eth0 only

net.ipv4.conf.all.accept_redirects=1
net.ipv4.conf.eth0.accept_redirects=0
net.ipv4.conf.eth1.accept_redirects=1

If your Linux server is not acting as a router then you can disable ICMP redirects on all the interfaces

net.ipv4.conf.all.accept_redirects=0 
net.ipv4.conf.eth0.accept_redirects=0 
net.ipv4.conf.eth1.accept_redirects=0

You can add these configuration values in a new file 96-disable-icmpv4.conf under /etc/sysctl.d.

# cat /etc/sysctl.d/96-disable-icmpv4.conf
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.eth0.accept_redirects=0
net.ipv4.conf.eth1.accept_redirects=0

To apply these changes runtime:

# sysctl --system

and verify the output:

Disable ICMP redirect with sysctl
Disable ICMP redirects with sysctl
# net/ipv4/conf/all/secure_redirects = 1

 

3. How to disable ICMP redirects for IPv6

We can use similar methods to ignore ICMPv6 requests on the Linux server

3.1 Using firewall rule

To block ICMPv6 redirects across all the interfaces use:

# firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p icmpv6 --icmpv6-type 137 -j DROP

To disable ICMPv6 request for single eth0 interface use:

# firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -i eth0 -p icmpv6 --icmpv6-type 137 -j DROP

To apply in runtime any of the above rules, reload of firewalld is required.

# firewall-cmd --reload
# firewall-cmd --direct --get-all-rules

 

3.2 Using kernel parameters (sysctl)

Logic behind ignoring ICMPv6 redirects is different from one used with IPv4. To make host ignore ICMPv6 redirects we must either:

run host as a IPv6 gateway (enable IPv6 forwarding)

# Enable forwarding for an <interface> and ignore ICMPv6 redirects
net.ipv6.conf.<interface>.forwarding=1

# Enable forwaridng for all interfaces and ignore ICMPv6 redirects
net.ipv6.conf.all.forwarding=1

OR

disable ICMPv6 redirects per interface

# Disable ICMPv6 redirects explicitly for <interface>
net.ipv6.conf.<inteface>.accept_redirects=0

You can add these configuration parameters inside a new file 95-disable-icmpv6.conf under /etc/sysctl.d

# cat /etc/sysctl.d/95-disable-icmpv6.conf
net.ipv6.conf.eth0.accept_redirects=0
net.ipv6.conf.eth1.accept_redirects=0

To apply the changes runtime:

# sysctl --system

Next verify the output:

Disable ICMPv6 using sysctl kernel parameters
Disable ICMPv6 using sysctl kernel parameters

 

What's Next

You should also disable ICMP timestamp response on the Linux server
How to disable ICMP timestamp responses in Linux

 

Conclusion

In this tutorial you learned different methods to disable ICMPv4 and ICMPv6 redirect messages. In production environment these are some of the basic requirement to enhance the security of individual Linux servers. For IPv6 environment you could also completely disable IPv6 if you are not using it in your environment.

 

References

I have used below external references for this tutorial guide
What problems are expected from disabling ICMP redirects
How to disable ICMP redirect messages for IPv4
How to disable ICMPv6 redirect messages

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment