ლ(ಠ益ಠლ)

Server Hardening With Iptables, Part Two, ICMP Whitelisting

Building off the previous post, let’s now take it a step further and lock down ICMP traffic.

If your iptables INPUT chain default policy has been set to DROP, then you probably noticed that pinging the server externally presented you with 100% packet loss (as it should).

The ICMP protocol has several types of control messages. We’re going to use control message type 8, “echo request”–in other configurations it may also be useful to use control message type 0 “echo reply”.

To whitelist ICMP traffic from a specific host, add the following policy, as root (or sudoer):

1
$ iptables -A INPUT -p icmp --icmp-type 8 -s <HOST> -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Replace <HOST> with the source IP address (DNS and/or CIDR supported) you want to ping from.

Verify existence of new policy:

1
$ iptables -L INPUT -n
1
2
3
Chain INPUT (policy DROP)
num        target     prot opt source      destination
<NUMBER>   ACCEPT     icmp --  <HOST>      0.0.0.0/0       icmptype 8 state NEW,RELATED,ESTABLISHED

Save your update iptables ruleset:

1
$ iptables-save > /etc/iptables.rules

Stay tuned for more!

Comments