Reputation: 520
ERROR: iptables v1.4.21: icmp: option "--icmp-type" must be specified
I trying to protect Smurf Attacks with iptables. with
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
when I run this command
iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
iptables show and error with
iptables v1.4.21: icmp: option "--icmp-type" must be specified
what is the problem ?
Upvotes: 0
Views: 5630
Answers (1)
Reputation: 610
The problem is that when using the icmp module, you must always specify one or more icmp types using --icmp-type. This is becuase ICMP is used for a lot of legal things, like the "fragmentation needed", which would be bad to block, as it would lead to unreachable destinations.
Usually a smurf attack (which is a thing of the 90's), is done by making your server reply to a lot of echo requests. Echo requests are icmp-type 8 - so i'd suggest this instead:
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
this will allow 1 "icmp echo reply" per second. (Aka. "ping reply"). I'd personally set that limit a bit higher than 1/second, but this should work.
Upvotes: 6
Related Questions
- Iptables v1.4.14: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
- icmp port unreachable error message
- Iptables doesn't start
- I fail to correctly modify ICMP traffic in a kernel module
- failed to apply firewall rules with iptables-restore
- IPtables not allowing yum in centos 7
- Error : iptables v1.4.11.1: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
- IPTABLES error "iptables: No chain/target/match by that name"
- How to fix “iptables: No chain/target/match by that name”?
- iptables error in use extensions