Block IP Address including ICMP using UFW

Posted by dr jimbob on Server Fault See other posts from Server Fault or by dr jimbob
Published on 2012-08-31T20:06:14Z Indexed on 2012/08/31 21:39 UTC
Read the original article Hit count: 467

Filed under:
|
|
|

I prefer ufw to iptables for configuring my software firewall. After reading about this vulnerability also on askubuntu, I decided to block the fixed IP of the control server: 212.7.208.65. I don't think I'm vulnerable to this particular worm (and understand the IP could easily change), but wanted to answer this particular comment about how you would configure a firewall to block it.

I planned on using:

# sudo ufw deny to 212.7.208.65
# sudo ufw deny from 212.7.208.65

However as a test that the rules were working, I tried pinging after I setup the rules and saw that my default ufw settings let ICMP through even from an IP address set to REJECT or DENY.

# ping 212.7.208.65
PING 212.7.208.65 (212.7.208.65) 56(84) bytes of data.
64 bytes from 212.7.208.65: icmp_seq=1 ttl=52 time=79.6 ms
^C
--- 212.7.208.65 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 79.630/79.630/79.630/0.000 ms

Now, I'm worried that my ICMP settings are too generous (conceivably this or a future worm could setup an ICMP tunnel to bypass my firewall rules).

I believe this is the relevant part of my iptables rules is given below (and even though grep doesn't show it; the rules are associated with the chains shown):

#  sudo iptables -L -n | grep -E '(INPUT|user-input|before-input|icmp |212.7.208.65)'
Chain INPUT (policy DROP)
ufw-before-input  all  --  0.0.0.0/0            0.0.0.0/0           
Chain ufw-before-input (1 references)
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 3 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 4 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 11 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 12 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 
ufw-user-input  all  --  0.0.0.0/0            0.0.0.0/0           
Chain ufw-user-input (1 references)
DROP       all  --  0.0.0.0/0            212.7.208.65        
DROP       all  --  212.7.208.65         0.0.0.0/0           

How should I go about making it so ufw blocks ICMP when I specifically attempt to block an IP address?

My /etc/ufw/before.rules has in part:

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

I'm tried changing ACCEPT above to ufw-user-input:

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ufw-user-input
-A ufw-before-input -p icmp --icmp-type source-quench -j ufw-user-input
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ufw-user-input
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ufw-user-input
-A ufw-before-input -p icmp --icmp-type echo-request -j ufw-user-input

But ufw wouldn't restart after that. I'm not sure why (still troubleshooting) and also not sure if this is sensible? Will there be any negative effects (besides forcing the software firewall to force ICMP through a few more rules)?

© Server Fault or respective owner

Related posts about linux

Related posts about iptables