Results 1 to 8 of 8

Thread: Unable to block ICMP echo_reply in iptables

  1. #1
    Join Date
    Jun 2009
    Posts
    504

    Default Unable to block ICMP echo_reply in iptables

    Didn't know where else this belonged to, but anyway...

    Was playing around with iptables and decided to configure the firewall to block all echo reply requests using the following command:

    Code:
    iptables --insert INPUT 1 -p icmp --icmp-type echo-reply -j REJECT
    iptables thus shows the following:

    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    REJECT     icmp --  anywhere             anywhere             icmp echo-reply reject-with icmp-port-unreachable
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
    REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    REJECT     icmp --  anywhere             anywhere             icmp echo-reply reject-with icmp-port-unreachable
    But when performing a port scan from ShieldsUP! the probing fails with the following remarks:

    Code:
    ----------------------------------------------------------------------
    
    GRC Port Authority Report created on UTC: 2013-07-23 at 12:32:25
    
    Results from scan of ports: 0-1055
    
        0 Ports Open
        0 Ports Closed
     1056 Ports Stealth
    ---------------------
     1056 Ports Tested
    
    ALL PORTS tested were found to be: STEALTH.
    
    TruStealth: FAILED - ALL tested ports were STEALTH,
                       - NO unsolicited packets were received,
                       - A PING REPLY (ICMP Echo) WAS RECEIVED.
    
    ----------------------------------------------------------------------
    And yet iptables claims that echo-reply is supposed to be rejected. What am i doing wrong?

  2. #2
    Join Date
    Feb 2008
    Location
    Linuxland
    Posts
    4,729

    Default

    Might want to try drop instead of reject.

  3. #3
    Join Date
    Jun 2009
    Posts
    504

    Default

    Quote Originally Posted by curaga View Post
    Might want to try drop instead of reject.
    No dice, -j DROP still fails the probe.

    Any other suggestions?

  4. #4
    Join Date
    Feb 2008
    Location
    Linuxland
    Posts
    4,729

    Default

    Another thought would be that you're trying to block an outgoing packet on the input. Isn't it so that echo requests come in, and echo replies go out?

  5. #5
    Join Date
    Jun 2009
    Posts
    504

    Default

    Quote Originally Posted by curaga View Post
    Another thought would be that you're trying to block an outgoing packet on the input. Isn't it so that echo requests come in, and echo replies go out?
    Took your suggestion and tried blocking echo-request and echo-reply on both INPUT and OUTPUT but no dice; probe still fails:

    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    REJECT     icmp --  anywhere             anywhere             icmp echo-request reject-with icmp-port-unreachable
    REJECT     icmp --  anywhere             anywhere             icmp echo-reply reject-with icmp-port-unreachable
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
    REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    REJECT     icmp --  anywhere             anywhere             icmp echo-request reject-with icmp-port-unreachable
    REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    REJECT     icmp --  anywhere             anywhere             icmp echo-request reject-with icmp-port-unreachable
    REJECT     icmp --  anywhere             anywhere             icmp echo-reply reject-with icmp-port-unreachable
    Code:
    ----------------------------------------------------------------------
    
    GRC Port Authority Report created on UTC: 2013-07-24 at 12:27:05
    
    Results from scan of ports: 0-1055
    
        0 Ports Open
        0 Ports Closed
     1056 Ports Stealth
    ---------------------
     1056 Ports Tested
    
    ALL PORTS tested were found to be: STEALTH.
    
    TruStealth: FAILED - ALL tested ports were STEALTH,
                       - NO unsolicited packets were received,
                       - A PING REPLY (ICMP Echo) WAS RECEIVED.
    
    ----------------------------------------------------------------------

  6. #6
    Join Date
    Feb 2008
    Location
    Linuxland
    Posts
    4,729

    Default

    With drop of course. Reject still sends a response, wrong if you want to play dead.

  7. #7
    Join Date
    Jun 2009
    Posts
    504

    Default

    Quote Originally Posted by curaga View Post
    With drop of course. Reject still sends a response, wrong if you want to play dead.
    Tried that too but probe still fails:

    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    DROP       icmp --  anywhere             anywhere             icmp echo-request
    DROP       icmp --  anywhere             anywhere             icmp echo-reply
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
    REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    DROP       icmp --  anywhere             anywhere             icmp echo-request
    DROP       icmp --  anywhere             anywhere             icmp echo-reply
    REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    DROP       icmp --  anywhere             anywhere             icmp echo-request
    DROP       icmp --  anywhere             anywhere             icmp echo-reply
    Code:
    ----------------------------------------------------------------------
    
    GRC Port Authority Report created on UTC: 2013-07-25 at 12:26:57
    
    Results from scan of ports: 0-1055
    
        0 Ports Open
        0 Ports Closed
     1056 Ports Stealth
    ---------------------
     1056 Ports Tested
    
    ALL PORTS tested were found to be: STEALTH.
    
    TruStealth: FAILED - ALL tested ports were STEALTH,
                       - NO unsolicited packets were received,
                       - A PING REPLY (ICMP Echo) WAS RECEIVED.
    
    ----------------------------------------------------------------------
    Any other suggestions? This is starting to become a bit of a pain.

  8. #8
    Join Date
    Feb 2008
    Location
    Linuxland
    Posts
    4,729

    Default

    I don't have any other suggestions, other than stop using that site and use your own ping from another machine. If you can't debug the other side it's going to be hard.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •