ICMP connections in IPtables

Clear All
ICMP packets are used only for transmitting control messages and did not provide a permanent connection. However, there are 4 types of ICMP packets that cause transmission of the response, so they can have two States: NEW and ESTABLISHED. These packets are ICMP Echo Request/Echo Reply, ICMP Timestamp Request/Timestamp Reply, ICMP Information Request/Reply and the Information ICMP Address Mask Request/Reply Address Mask. Of them-the ICMP Timestamp Request/Reply Timestamp and ICMP Information Request/Reply the Information are considered obsolete and therefore, in most cases, can be easily dumped (DROP). Take a look at the figure below.

As can be seen from this figure, the server performs the Echo Request (ping) to a client that (request) is recognized as the NEW firewall. The client answers Echo Reply, and now the package is recognized as having the condition ESTABLISHED. After passing the first package (Echo Request) to an entry: ip_conntrack

1 25 ICMP src = dst = type = 8 code = 0 \
ID = 33029 [UNREPLIED] src = dst = \
Type = 0 code = 0 id = 33029 use = 1

This entry is a bit different from the records of TCP and UDP, although exactly the same present and protocol name and timeout and the address of the transmitter and receiver, but the three new fields-type, code and id. The type field contains the type of ICMP, ICMP code field. ICMP code and type values are given in annex ICMP types. And most id field contains the identifier for the package. Every ICMP packet has its identifier. When the receiver, in response to the ICMP request sends a response, it substitutes in this ID to the response packet, so that the transmitter can correctly identify in response to some request came the answer.

The next field is a flag [UNREPLIED] who met us previously. It means that the first package arrived in the connection. Complete recording features the expected response packet. This includes the addresses of the sender and the recipient. With regard to the type and code of the ICMP packet, they correspond to the correct values for the ICMP Echo Reply expected. The package ID of the response is the same as in the request packet.

Response packet is recognized as ESTABLISHED. However, we know that after the response packet, via this link, nothing is expected, so after a reply via the netfilter, trace table entry is destroyed.

In any case, the query is treated as a NEW, and answer as ESTABLISHED.

Note that the response packet must match its characteristics (sender and recipient addresses, type, and identifier code) with the entries in the table, the same is true of the tracer for all other types of traffic.

ICMP requests have timed out, the default 30 seconds. This time, in most cases, is enough. You can change the timeout/proc/sys/net/ipv4/netfilter/ip_ct_icmp_timeout. (Recall that the variables of type/proc/sys/net/ipv4/netfilter/ip_ct_ * become available only after installation of “patches” tcp window tracking of patch-o-matic long).

A large part of the ICMP is used to convey messages about what is going on with any UDP or TCP connection. Due to this, they are often recognized as linked (RELATED) with the existing connection. A simple example can serve as a Host Unreachable or ICMP messages ICMP Network Unreachable. They always are when you try to connect to the host when the host or network is unavailable, in which case the last router returns an ICMP packet, which will be recognized as RELATED. The figure below shows how this works.

In this example, a node is passed to the connection request (SYN packet). It acquired the status of a NEW firewall. However, at this point in time, the network is not available, so the router returns an ICMP Network Unreachable packet. The tracer compounds recognizes this as RELATED to existing records in a table, so that the package was safely transferred to the client, which then will terminate the connection failed. In the meantime, the firewall will delete the entry in the table, because for this connection error message was received.

The same happens with the UDP connections-if found similar problems. All ICMP messages sent in response to a UDP connection, are seen as RELATED. Take a look at the following picture.

A UDP datagram is sent to the server. The connection status is NEW. However, network access is prohibited (firewall or router), so back the ICMP Network Prohibited message is returned. Firewall detects it as associated with open UDP connection, gives it the status of RELATED and passes to the client. After that entry in the table of the tracer is destroyed, and successfully terminate the client connection.