How to ignore icmp redirects?

Solution Verified - Updated 24 Dec 2024

Environment

Red Hat Enteprise Linux 7+
IPv4 / ICMP

Issue

How can we disable ICMP redirects on our host?

Resolution

This solution is concerned with ICMP redirects only. For ICMPv6 please visit How to disable ipv6 icmp redirects?

We can ignore ICMP redirects by:
1. Creation of firewall rule
2. Setting kernel parameters (sysctl)

1. Creation of firewall rule

Disclaimer: this solution requires careful consideration of firewall ruleset in your environment. Please proceed only if you are certain, that newly added rule won't interfere with already applied ones.

Requirements: Firewalld is running

Firewall drops all ICMP redirects on interfaces, which are part of default zone

# firewall-cmd --permanent --add-icmp-block=redirect
# firewall-cmd --reload
# firewall-cmd --list-all

2. Setting kernel parameters (sysctl)

Kernel has a parameter for this behavior, it's called accept_redirects.

Snippet from kernel docs:

  accept_redirects - BOOLEAN
	 Accept ICMP redirect messages.
	 accept_redirects for the interface will be enabled if:
	 - both conf/{all,interface}/accept_redirects are TRUE in the case forwarding
	   for the interface is enabled
	 or
	 - at least one of conf/{all,interface}/accept_redirects is TRUE in the case
	   forwarding for the interface is disabled
	 accept_redirects for the interface will be disabled otherwise
	 default TRUE (host)
		        FALSE (router)

Steps necessary to make host ignore ICMP redirects, depend on whether host is a router or not.

If host is IPv4 router (IPv4 forwarding is turned on for all or particular interfaces), then we can disable redirects either for all interfaces or group of interface(s) by accepting redirects for all and ignoring them for the ones we want

Disabling redirects on all interfaces, when host is a router

net.ipv4.conf.all.accept_redirects=0

Disabling redirects on eth0 and eth1, when host is a router

net.ipv4.conf.all.accept_redirects=1   
net.ipv4.conf.eth0.accept_redirects=0
net.ipv4.conf.eth1.accept_redirects=0

If host is not a router, then to ignore redirects on group of interfaces we need to make sure accept_redirects is disabled for all target and particular interfaces as well

Disabling redirects on eth0 and eth1, when host is not a router

net.ipv4.conf.all.accept_redirects=0 
net.ipv4.conf.eth0.accept_redirects=0 
net.ipv4.conf.eth1.accept_redirects=0

To make above settings permanent, we:

Create a file /etc/sysctl.d/icmp.conf
Append the desired settings
Apply configuration to runtime via # sysctl --system

SBR

Networking

Product(s)

Red Hat Enterprise Linux

Components

kernel

Category

Supportability

Tags

network

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.