Feb 212008

ICMP Redirects are used to update hosts of optimal alternate routes to a destination. These are updates normally sent by routing devices when the router becomes aware of an alternate route to reach a destination than the current one. This method is not very efficient and can cause security concerns.

However, this can be fixed at run time (dynamically) without having to reboot the PC or server running Suse Linux or OpenSuse operating system or at boot time (system startup).

Disable ICMP Redirects Accept & Send at run time

Using sysctl utility

OpenSuse:/etc/sysconfig/network # /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0

net.ipv4.conf.all.accept_redirects = 0

OpenSuse:/etc/sysconfig/network # /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0

net.ipv4.conf.all.send_redirects = 0

This disables ICMP Redirect accept & Send on all the interfaces completely. However, this can be done at the interface level as well. Simply replace “all” in the above command with the interface name (for example “eth0”)

So works like this

OpenSuse:/etc/sysconfig/network # sysctl -w net.ipv4.conf.eth0.accept_redirects=0

net.ipv4.conf.eth0.accept_redirects = 0

OpenSuse:/etc/sysconfig/network # sysctl -w net.ipv4.conf.eth0.send_redirects=0

net.ipv4.conf.eth0.send_redirects = 0

For Ipv6, again simply replace “ipv4” to “ipv6” in the above command. So, should look like

OpenSuse:/etc/sysconfig/network # sysctl -w net.ipv6.conf.eth0.accept_redirects=0

net.ipv6.conf.eth0.accept_redirects = 0

OpenSuse:/etc/sysconfig/network # sysctl -w net.ipv6.conf.eth0.send_redirects=0

net.ipv6.conf.eth0.send_redirects = 0

Even a simpler procedure would be to pass the value “0” to the above kernel variables as follows

OpenSuse:/etc/sysconfig/network # echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

OpenSuse:/etc/sysconfig/network # echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

OpenSuse:/etc/sysconfig/network # echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects

OpenSuse:/etc/sysconfig/network # echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects

Again, for Ipv6 replace “ipv4” in the above commands and at the interface level replace “all” with the interface name (ex: “eth0”)

All of the above doesn’t require a system reboot and changes are instant. However, the changes are lost when the system is restarted the next time.

 Permanent Setting at Boot time

In order to have these settings at the boot time, you need to add the equivalent entries for the above commands in the /etc/sysctl.conf configuration file. Simply edit the /etc/sysctl.conf file and add the following entries:

For IPv4

net.ipv4.conf.all.accept_redirects = 1

net.ipv4.conf.all.send_redirects = 1

Ipv4 at interface level

net.ipv4.conf.eth0.accept_redirects = 1

net.ipv4.conf.eth0.send_redirects = 1

For Ipv6

net.ipv6.conf.all.accept_redirects = 1

net.ipv6.conf.all.send_redirects = 1

Ipv6 at interface level

net.ipv6.conf.eth0.accept_redirects = 1

net.ipv6.conf.eth0.send_redirects = 1

Thats it. The next time, you reboot the PC, the settings are still there!!!