Topic: How do I block ICMP?

[Ragnbull]

I am trying to block ICMP and for that matter, shut down any port that I do not need open.  Can anyone help?  I am on SME 5.6.  My main concern is shutting ping down from the WAN...or all together for that matter.

[Nathan Fowler]

I don't run 5.6 so I'm not sure I can help you without some additional information.

Please give me directory listing of:
/etc/e-smith/templates/etc/rc.d/init.d/masq

[Ragnbull]

ok...screw 5.6 for now.  It has completely destroyed my server via upgrade. Most functionality has stopped.  I am back on on 5.5 update 2, with all ssl capability working and address book accessible.  All I want to do is block ICMP on the server.

Here is what I have in /etc/e-smith/templates/etc/rc.d/init.d/masq

00start          10masq_vdolive               35AllowLoopback        45AllowDHCPS      45AllowSMTP        80EndChainIcmpOut
00UseDB          10RemoveUserChains           35AllowPPTPInterfaces  45AllowFTP        45AllowSSH         85PolicyForward
01localNetworks  15Definitions                35DenyLowPorts         45AllowHTTP       45AllowSSMTP       85PolicyInput
10flush          15forwardpolicy              35DenyMulticast        45AllowHTTPS      45AllowTelnet      85PolicyOutput
10masq_cuseeme   20NewChainDenyLog            35transproxy           45AllowIMAP       45DenyMySQL        95startdone
10masq_ftp       20NewChainIcmpIn             40AllowICMPfromLAN     45AllowIMAPS      45DenyRIP          98MasqStart
10masq_h323      20NewChainIcmpOut            40AllowICMPIn          45AllowIPSecMasq  45DenySMB          98MasqStop
10masq_icq       30AdjustTOS                  40AllowICMPOut         45AllowLDAP       45DenySquid        98restart
10masq_ipsec     30EnableIPDynAddr            40AllowLocal           45AllowNTP        46AllowFTPActive   98stop
10masq_irc       30EnableIPForward            40AllowTCPAckBitSet    45AllowPOP        46AllowHighTCP     98usage
10masq_pptp      30SetMasqTimeouts            40masqLAN              45AllowPOPS       46AllowHighUDP     template-begin
10masq_quake     30SourceAddressVerification  45AllowAUTH            45AllowPPTP       80EndChainDenyLog  template-end
10masq_rtsp      30SynCookies                 45AllowDHCPC           45AllowPPTPMasq   80EndChainIcmpIn

I hope this helps.  I am trying to lock the server down.  I do not want ICMP to respond.  All I need open is port 80, 443, 25, 22, 465, 995, and 993.  That's it!  If You can help I would greatly appreatiate it!  Thank you so much!

Nathan Fowler wrote:
>
> I don't run 5.6 so I'm not sure I can help you without some
> additional information.
>
> Please give me directory listing of:
> /etc/e-smith/templates/etc/rc.d/init.d/masq

[Nathan Fowler]

From console:
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
cp /etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowICMPIn /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40AllowICMPIn
pico /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40AllowICMPIn

[Remove the line that says "echo-request" and "echo-reply"]
[Save]

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/rc.d/init.d/masq restart


Hope this helped,
Nathan

[Ragnbull]

Ok.  It does not work.  Here is what the code looks like.  Can you please still help, this is driving me nuts.

[root@Rage root]# pico /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40AllowICMPIn

   UW PICO(tm) 4.2               File: /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40AllowICMPIn                            

{
    use esmith::NetworksDB;

    # We want to be very selective on the ICMPs we accept to stop
    # route hijacking

    my @OKicmpTypes = (
                qw(
                    destination-unreachable
                    source-quench
                    time-exceeded
                    parameter-problem
                ) );

    my %services = ( masq => $masq );
    my $stealth = db_get_prop(\%services, 'masq', 'Stealth') || 'no';
    unless ($stealth eq 'yes')
    {
    }
    foreach my $icmpType (@OKicmpTypes)
    {
        $OUT .= <    /sbin/ipchains --append icmpIn --proto icmp --icmp-type $icmpType --jump ACCEPT
HERE
    }

    # Even in 'stealth' mode, we should allow ICMP ECHO on the LAN port
    my ($network, $broadcast) = esmith::util::computeNetworkAndBroadcast ($LocalIP, $LocalNetmask);

    my %networks;
    $networks{$network} = $LocalNetmask;

    my $ndb = esmith::NetworksDB->open();
    foreach my $net ($ndb->get_all())
    {
        ($network,$broadcast) = esmith::util::computeNetworkAndBroadcast(
            $net->key, $net->prop('Mask'));
        $networks{$network} = $net->prop('Mask');
    }

    foreach $net (keys %networks)
    {
        $OUT .= <    /sbin/ipchains --append icmpIn --proto icmp --source $net/$networks{$net} -j ACCEPT
                                          [ line 1 of 48 (2%), character 0 of 1200 (0%) ]

[Nathan Fowler]

That looks correct, are you testing it by pinging your host externally or internally?  That rule only affects ICMP on the external interface.