In this tutorial we will learn how to disable ICMP and ICMPv6 redirects on the Linux server. ICMP redirects are used on routers so if your Linux server is not acting as a router then as a general security practice it is recommended to disable the redirects. Even if your Linux server is acting as a router with forwarding turned ON, you can disable ICMP redirects on selective interface using kernel parameters (sysctl).
1. What are ICMP redirects
- An ICMP redirect packet is generated by a router to inform a host of a better route to some specific destination.
- The recipient of an ICMP redirect overrides its route table with the information given in the redirect packet.
- Redirects are only required when a non-default router is preferred for some particular peer addresses, and this knowledge is not hard-configured on the system.
- The default router will then be initially attempted for sends to those peers and, if it supports redirects, it will respond with one naming the alternate router.
- It may or may not also forward the original packet.
- If this system accepts redirects it uses the information given to create a temporary routing entry for the alternate router.
- The advantage of such a configuration is that the knowledge of the network architecture and the required routers need be maintained on only a relatively few systems - the routers that are default-router for each subnet, rather than all client systems on all subnets.
- The disadvantage is that malicious systems could send redirects to manipulate other systems.
2. How to disable ICMP redirects for IPv4
There are two methods to ignore ICMP requests. The below section covers only IPv4 network.
2.1 Using firewall rule
We can add a rule with firewalld
to block all the TCMP redirects. First of all get the list of active zones
# firewall-cmd --get-active-zones public interfaces: eth0 eth1
So in my case I am only using the default public
zone which has both my interface so I will apply my firewalld
rules to this zone.
# firewall-cmd --permanent --add-icmp-block=redirect --zone=public
Next reload the rules
# firewall-cmd --reload
List and verify the rule
2.2 Using kernel parameters (sysctl)
If your Linux server is acting as a router with forwarding enabled, you can choose to disable ICMP redirect on all or selected interface.
To disable ICMP redirect on all the interface
net.ipv4.conf.all.accept_redirects=0
To disable ICMP redirects on eth0
only
net.ipv4.conf.all.accept_redirects=1 net.ipv4.conf.eth0.accept_redirects=0 net.ipv4.conf.eth1.accept_redirects=1
If your Linux server is not acting as a router then you can disable ICMP redirects on all the interfaces
net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.eth0.accept_redirects=0 net.ipv4.conf.eth1.accept_redirects=0
You can add these configuration values in a new file 96-disable-icmpv4.conf
under /etc/sysctl.d
.
# cat /etc/sysctl.d/96-disable-icmpv4.conf net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.eth0.accept_redirects=0 net.ipv4.conf.eth1.accept_redirects=0
To apply these changes runtime:
# sysctl --system
and verify the output:
# net/ipv4/conf/all/secure_redirects = 1
3. How to disable ICMP redirects for IPv6
We can use similar methods to ignore ICMPv6 requests on the Linux server
3.1 Using firewall rule
To block ICMPv6 redirects across all the interfaces use:
# firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p icmpv6 --icmpv6-type 137 -j DROP
To disable ICMPv6 request for single eth0 interface use:
# firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -i eth0 -p icmpv6 --icmpv6-type 137 -j DROP
To apply in runtime any of the above rules, reload of firewalld
is required.
# firewall-cmd --reload # firewall-cmd --direct --get-all-rules
3.2 Using kernel parameters (sysctl)
Logic behind ignoring ICMPv6 redirects is different from one used with IPv4. To make host ignore ICMPv6 redirects we must either:
run host as a IPv6 gateway (enable IPv6 forwarding)
# Enable forwarding for an <interface> and ignore ICMPv6 redirects net.ipv6.conf.<interface>.forwarding=1 # Enable forwaridng for all interfaces and ignore ICMPv6 redirects net.ipv6.conf.all.forwarding=1
OR
disable ICMPv6 redirects per interface
# Disable ICMPv6 redirects explicitly for <interface>
net.ipv6.conf.<inteface>.accept_redirects=0
You can add these configuration parameters inside a new file 95-disable-icmpv6.conf
under /etc/sysctl.d
# cat /etc/sysctl.d/95-disable-icmpv6.conf net.ipv6.conf.eth0.accept_redirects=0 net.ipv6.conf.eth1.accept_redirects=0
To apply the changes runtime:
# sysctl --system
Next verify the output:
What's Next
You should also disable ICMP timestamp response on the Linux server
How to disable ICMP timestamp responses in Linux
Conclusion
In this tutorial you learned different methods to disable ICMPv4 and ICMPv6 redirect messages. In production environment these are some of the basic requirement to enhance the security of individual Linux servers. For IPv6 environment you could also completely disable IPv6 if you are not using it in your environment.
References
I have used below external references for this tutorial guide
What problems are expected from disabling ICMP redirects
How to disable ICMP redirect messages for IPv4
How to disable ICMPv6 redirect messages