Table of Contents

IPTables Tweeks

ICMP Redirecting

This error was driving me nuts for a while:

Jan 29 15:11:45 zcn1 kernel: host 10.1.0.52/if5 ignores redirects for 10.1.0.51 to 10.1.0.51.
Jan 29 15:21:45 zcn1 kernel: host 10.1.0.52/if5 ignores redirects for 10.1.0.51 to 10.1.0.51.
Jan 29 15:31:45 zcn1 kernel: host 10.1.0.52/if5 ignores redirects for 10.1.0.51 to 10.1.0.51.
Jan 29 15:41:45 zcn1 kernel: host 10.1.0.52/if5 ignores redirects for 10.1.0.51 to 10.1.0.51.
Jan 29 15:51:45 zcn1 kernel: host 10.1.0.52/if5 ignores redirects for 10.1.0.51 to 10.1.0.51.
Jan 29 16:01:45 zcn1 kernel: host 10.1.0.52/if5 ignores redirects for 10.1.0.51 to 10.1.0.51.

Here is the fix with some background info:

http://www.hackinglinuxexposed.com/articles/20021015.html # Ignore redirects from machines that are listed as gateways # (routers set by 'route add … gw IPADDR'). Not a good idea # if these routers do send redirects, which is likely if you # multiple routers on your net but only one default configured. # # Redirects can be abused to perform man-in-the-middle attacks, # so you only want them enabled from trusted sources. enable /proc/sys/net/ipv4/conf/*/secure_redirects

http://www.phptr.com/articles/article.asp?p=101181&seqNum=2&rl=1 Configure ICMP Redirect Messages

ICMP redirect messages are used by network gateways to inform a host sending data to forward packets to a different gateway. If a Sun Linux system is not configured to act as a gateway, that is the net.ipv4.ip_forward parameter is set to 0, then the system should never need to send ICMP redirect messages.

To configure the system to never send ICMP redirect messages, add the following line to the /etc/sysctl.conf file.

net.ipv4.send_redirects = 0

Similarly, if you only have one gateway on the network to which the host is attached, then it is safe to ignore any incoming ICMP redirect messages. These messages could not be generated in such a case, because there is only one path out of the network.

An attacker can forge redirect messages to install bogus routes. This action might initiate a denial of service attack if a newly specified router is not a router at all. Similarly, this technique could be used to force network packets to be routed through an attacker's machine, where the packets could be inspected, captured, or modified. Although there are rules governing valid ICMP redirect messages, all of them can be easily spoofed.

If possible, configure the system to ignore ICMP redirect messages by adding the following line to the /etc/sysctl.conf file.

net.ipv4.accept_redirects = 0

/var/customers/webs/cw01/wiki/data/pages/security/iptables.txt · Last modified: 2012/02/06 11:10 by wadmin
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki