[Firehol-support] problem matching packet length

High Mobley firehol at prioritynetworks.net
Wed Oct 27 20:40:17 BST 2004

We have a gateway that is doinig NAT and port forwarding. We also need 
to add some rules to prevent the spread of Microsoft Windows worms and 
viruses. So we need to block 92-byte ICMP echo requests and replies. 
(Several of the worms in the wild are pinging hosts using the default 
Windows ping packet size of 92 bytes)

I already have this running on some of my Cisco routers. Here is a 
snippet from my router configs that shows what I'm doing:

access-list 199 permit icmp any any echo
access-list 199 permit icmp any any echo-reply
route-map nachia-worm permit 10
  match ip address 199  (This is packets matched by access-list #199)
  match length 92 92
  set interface Null0

Here is our basic FireHOL config before the length matching attempts. It 
works fine for the basic NAT and port forwarding functions that we want:

# Read in custom list of networks from separate file:
. /etc/firehol/networks
# Read in list of custom services from separate file:
. /etc/firehol/services
# Services to allow to our administrative IPs whome we trust:
Trusted_services="ssh icmp http"
# Services to allow to the whole world:
# IP addresses behind the NAT on eth1:
# Forward incoming requests on port 80 of eth0 to port 80 on
# a web server sitting behind the NAT on eth1:
nat to-destination proto tcp dport 80 dst
interface eth0 EXTERIOR src not "${UNROUTABLE_IPS}"
         policy drop loglimit debrouter
         protection strong
         server "icmp" accept src "${ICMP_monitor}"
         server "${Trusted_services}" accept src "${Trusted_Networks}"
         server "${Public_services}" accept
         client all accept
         server all reject src "${Trusted_Networks}"
         server ident reject with tcp-reset
interface eth1 INTERIOR src ${interior_ips}
         policy reject
         client all accept
router INTERIOR_NAT inface eth1 outface eth0
         route all accept
router PORT_FORWARD inface eth0 outface eth1
         route "${Trusted_services}" accept src "${Trusted_Networks}"
         route ident reject with tcp-reset

So now I need to add something that finds all 92-byte long ICMP echo 
requests and echo-replies and drops them. I have been unable to figure 
out how to do this with plain iptables on a Linux machine without 
FireHOL either. It seems like the following two rules should work, but I 
still get replies back from the Linux machine when I ping it with 
92-byte long ICMP packets...

iptables -t filter -A INPUT --protocol icmp --icmp-type echo-request 
--match length --length 92 -j DROP
iptables -t filter -A INPUT --protocol icmp --icmp-type echo-reply 
--match length --length 92 -j DROP

Does anybody have some suggestions?

High Mobley

More information about the Firehol-support mailing list