Prevent Linux from processing incoming ICMP Host unreachable packets
Posted
by
bbc
on Server Fault
See other posts from Server Fault
or by bbc
Published on 2013-11-08T20:28:06Z
Indexed on
2013/11/08
21:57 UTC
Read the original article
Hit count: 217
I have a test setup with one host on a network (10.1.0.0/16) talking via TCP to another one on another network (10.2.0.0/16) and a gateway in the middle.
Sometimes, the TCP connection is lost and while scanning the trace (pcap), I looks like it's because of just one ICMP Host unreachable message sent by the gateway to 10.1.0.1 at some point. 10.1.0.1 then sends a TCP RST to 10.2.0.1.
In my opinion, the gateway (pfSense) is broken or not configured correctly but anyway, for testing purposes, I'd like to block this kind of ICMP on the host (10.1.0.1) before it has an influence on my TCP connection (or does it? I'm not even sure).
I've tried iptables:
iptables -I INPUT -i eth0 -p icmp --icmp-type host-unreachable -j DROP
but while it does a good job at preventing userpace applications like ping from receiving these ICMP messages, my TCP connection still comes to an end when the alleged "killer ICMP packet" is sent by the gateway.
Am I right about how it is processed? If yes, then what can I do to achieve my goal?
© Server Fault or respective owner