Mailing List Archive

Ross Cameron wrote:
> Hi there list,...
>
> I need to block all
> timestamp-request and
> timestamp-reply
>
> On eth0 (Inet facing fast ethernet segment on a multi homed Linux
> router) but not on eth1 (LAN facing range).
>

I don't know how to test this so here's a guess. Hope it works.

Drop requests from the internet:
iptables -A input -p icmp --icmp-type timestamp-request -i eth0 -j DROP

My thought is that if no timestamp requests are accepted no timestamp
replies would be generated. In case that's an invalid assumption you
could also filter the output chain.

...and drop answers to the internet:
iptables -A output -p icmp --icmp-type timestamp-reply -o eth0 -j DROP

Depending on what else you are doing you may need matching rules in your
forward chains, too.

:m)

On 6/27/2007 12:09 PM, Mike Wright wrote:
> My thought is that if no timestamp requests are accepted no timestamp
> replies would be generated. In case that's an invalid assumption you
> could also filter the output chain.

*nod*

> Depending on what else you are doing you may need matching rules in your
> forward chains, too.

This is why a (sub)chain to do the filtering is nice. Jump to the same
(sub)chain from both filter:INPUT and filter:FORWARD and return out of
it with any traffic that passes back to the rule after the one that
jumped in to it. Just have your (sub)chain DROP the packet if it does
match and allow all non-matching traffic to fall off the end and RETURN.
Seeing as how it is a (sub)chain, I don't think you can set a policy
of RETURN and you would have to create a rule to RETURN, but this is a
non-issue.



Grant. . . .

On 27/06/07, Grant Taylor <gtaylor@riverviewtech.net> wrote:
> On 6/27/2007 12:09 PM, Mike Wright wrote:
> > Depending on what else you are doing you may need matching rules in your
> > forward chains, too.
>
> This is why a (sub)chain to do the filtering is nice. Jump to the same
> (sub)chain from both filter:INPUT and filter:FORWARD and return out of
> it with any traffic that passes back to the rule after the one that
> jumped in to it. Just have your (sub)chain DROP the packet if it does
> match and allow all non-matching traffic to fall off the end and RETURN.
> Seeing as how it is a (sub)chain, I don't think you can set a policy
> of RETURN and you would have to create a rule to RETURN, but this is a
> non-issue.

How do you create sub-chains?
I've heard the term before but never found an example that uses it.

Many thanks for all the advice guys.

Am Thursday, den 28 June hub Ross Cameron folgendes in die Tasten:

[filter icmp timestamp-*]

> How do you create sub-chains?
> I've heard the term before but never found an example that uses it.

This is a simple task:

iptables -N yourChainName

For your problem:

iptables -N icmp_timestamp
iptables -A icmp_timestamp -p icmp --icmp-type timestamp-request -j REJECT --reject-with icmp-admin-prohibited
iptables -A icmp_timestamp -p icmp --icmp-type timestamp-reply -j REJECT --reject-with icmp-admin-prohibited

iptables -A INPUT -i eth0 -p icmp -j icmp_timestamp
iptables -A OUTPUT -o eth0 -p icmp -j icmp_timestamp

(The interesting question here might be if it is wise to put these two
simple rules in a subchain when thinking about rule processing
speed.)

HTH
Ciao
Max
--
Follow the white penguin.