5.28. Disable ICMP Redirect Acceptance

When hosts use a non-optimal or defunct route to a particular destination, an ICMP redirect packet is used by routers to inform the hosts what the correct route should be. If an attacker is able to forge ICMP redirect packets, he or she can alter the routing tables on the host and possibly subvert the security of the host by causing traffic to flow via a path you didn't intend. It's strongly recommended to disable ICMP Redirect Acceptance to protect your server from this hole.

version 6.1 only


              [root@deep] /# for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
              > echo 0 > $f
              > done
              

              [root@deep] /#
              
Add the above commands to the /etc/rc.d/rc.local script file and you'll not have to type it again the next time you reboot your system.

Version 6.2 only

Edit the /etc/sysctl.conf file and add the following line:

              # Disable ICMP Redirect Acceptance
              net.ipv4.conf.all.accept_redirects = 0
              
You must restart your network for the change to take effect. The command to restart manually the network is the following:

              [root@deep] /# /etc/rc.d/init.d/network restart
              Setting network parameters	[  OK  ]
              Bringing up interface lo		[  OK  ]
              Bringing up interface eth0	[  OK  ]
              Bringing up interface eth1	[  OK  ]
              
Take Note that the above command for Red Hat Linux 6.1 or 6.2 will disable Redirect Acceptance Packets on all your interfaces lo, ethN, pppN etc.