linux poison RSS
linux poison Email

How to Disable ICMP Redirects in Linux

ICMP redirect messages represent one of the lowest level routing protocols for simple redirects. Routers send them to hosts to inform them about more efficient ways to reach a host rather than route them over themselves. A host will allow this message and will store this "hint" in a temporary table. It will send the next package directly to the host given by the ICMP redirect.

However, the Linux kernel doesn't listen to ICMP redirects when it is configured as router and not as host. So, be careful setting up routing tables for routers. They have to be complete. No hints from other hosts will be accepted and only the local routing table decides where packages go.

Disable ICMP Redirects:
In most of the Linux flavors (Debian, Ubuntu, Redhat Enterprise linux, OpenSuSe) ICMP Redirects can be dynamically disabled on the host by adding the proper entries in the /etc/sysctl.conf configuration file. Simply edit the /etc/sysctl.conf file and add the following entries:

For IPv4
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.send_redirects = 1
For Ipv6
net.ipv6.conf.all.accept_redirects = 1
net.ipv6.conf.all.send_redirects = 1


2 comments:

Sumant said...

Holding a special place, some say, within the IP layer is ICMP. You're probably familiar with ICMP when you use the ping command because ping uses ICMP. ICMP, or Internet Control Message Protocol, has several uses, including being the underlying protocol for the ping command. There are 15 functions within ICMP each denoted by a type code. For instance, the type for an ICMP Echo Request (think: ping) is 8; the reply to that request, aptly titled an Echo Reply, is type 0. Within the different types there can also exist codes to specify the condition for the given type. The types and codes for ICMP messages are shown.

Recently I just came across a good article on "IPV6 - The “ ICMP Overview"
Here is its link.

Owen said...

I realise I'm two years too late on this, but this will do the complete opposite of what you say it will.

You want:

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

As in, "don't accept/send redirects".

Post a Comment

Related Posts with Thumbnails