Iptables Connection Tracking - ICMP
This post deals with connection tracking and the ICMP protocol.
In iptables parlance, there are only four types of icmp that can be categorized as NEW, or ESTABLISHED:
1) Echo request (ping, type=8) and echo reply (pong, type=0).
2) Timestamp request (13)and reply (14).
3) Information request (15) and reply (16).
4) Address mask request (17) and reply (18).
The request in each case is classified as NEW and the reply as ESTABLISHED.
Other types of icmp are not request-reply based and can only be RELATED to other connections.
Let us consider a sample ruleset and a few examples:
iptables -A OUTPUT -p icmp -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -m state –state ESTABLISHED,RELATED -j ACCEPT
- An icmp echo request is NEW and so is allowed in the OUTPUT chain.
- An icmp echo reply, provided it is in response to an echo request, is ESTABLISHED and so is allowed in the INPUT chain. An echo reply cannot be allowed in the OUTPUT chain for the rules above because there is no NEW in the INPUT chain to allow echo requests and a reply has to be in response to a request.
- An icmp redirect, because it is not request-reply based, is RELATEDand so can be allowed in both the INPUT and the OUTPUT chains provided there is already a tcp or udp connection in the state table already that it can be matched against.
Recommended Reading
