I am setting up firewall with iptables on my host. I want to disable timestamp ICMP request, but it's wired, I only allows type 8 (echo-request) comes into host, but event still, I can get timestamp from my host
64 bytes from xxxxxxxxx: icmp_seq=2 ttl=61 time=2.56 ms
TS: 36654775 absolute
-6423
3
1
-4
0
4
0
-2
Unrecorded hops: 1
I try to allow type 8 only, but it doesn't work, it appears that all I can do is to let all ICMP requests pass, or deny all of them, following is the configuration script I'm using.
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED -j ACCEPT
# allow the icmp
iptables -I INPUT -p icmp --icmp-type 8 -j ACCEPT
# services
iptables -A INPUT -p TCP --dport 22 -j ACCEPT # SSH
iptables -A INPUT -p UDP --sport 53 -j ACCEPT # DNS
iptables -A INPUT -p TCP --sport 53 -j ACCEPT # DNS
iptables -A INPUT -p TCP --dport 80 -j ACCEPT # HTTP
iptables -A INPUT -p TCP --dport 443 -j ACCEPT # HTTPS
# allow the replay from outgoing established connection
iptables -A INPUT -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
The version of Linux kernel is 2.6.18, and the version of iptables is v1.3.5. What's wrong with that? How to block time stamp requests?
Best Answer
I tried the timestamp option of
ping, and it looks like the ICMP type remains at 8 and that the timestamp request is apart of the IP options. This is probably why you are not filtering the requests since they look just like regular echo requests toiptables.There is a match extension called ipv4options you might want to explore for blocking the timestamps.