Discussion:
ICMP redirects
Georgi Naplatanov
2013-08-24 08:15:42 UTC
Permalink
Hi, I want my machine to ignore ICMP redirects in Debian Wheezy (Linux
kernel)

Does

net.ipv4.conf.all.accept_redirects = 0

in /etc/sysctl.conf make kernel to ignore ICMP redirects for all interfaces

or

1) do I have to set it for particular interface like
net.ipv4.conf.eth0.accept_redirects = 0

or

2) do I have to set a rule in iptables like

iptables -A INPUT -i eth0 -p icmp --icmp-type 5 -j DROP

Thanks in advance.

Best regards
Georgi
Gian Piero Carrubba
2013-08-24 10:18:04 UTC
Permalink
Post by Georgi Naplatanov
Hi, I want my machine to ignore ICMP redirects in Debian Wheezy
(Linux kernel)
Does
net.ipv4.conf.all.accept_redirects = 0
in /etc/sysctl.conf make kernel to ignore ICMP redirects for all interfaces
or
1) do I have to set it for particular interface like
net.ipv4.conf.eth0.accept_redirects = 0
or
2) do I have to set a rule in iptables like
iptables -A INPUT -i eth0 -p icmp --icmp-type 5 -j DROP
Using sysctl vs. iptables is probably a matter of taste. I usually
prefer the former but often includes rules for the latter in order not
to be hit when porting the packet filtering script to another host.
As for the accept_redirects sys parameter, the following is from
Documentation/networking/ip-sysctl.txt.gz (kernel 3.10):

accept_redirects - BOOLEAN
Accept ICMP redirect messages.
accept_redirects for the interface will be enabled if:
- both conf/{all,interface}/accept_redirects are TRUE in the case
forwarding for the interface is enabled
or
- at least one of conf/{all,interface}/accept_redirects is TRUE in
the case forwarding for the interface is disabled
accept_redirects for the interface will be disabled otherwise
default TRUE (host)
FALSE (router)

Ciao,
Gian Piero.

Loading...