Disable ICMPv6 Destination Unreachable replies

Shikhar Bhargava asked:

iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -j DROP

The above command works for IPv4, what should be the command for IPv6 to drop the ICMPv6 destination-unreachable packets.
I have tried to use ip6tables with but could not get the correct option.

ip6tables -I OUTPUT -p icmpv6 <icmpv6 type> -j DROP

What should work for ?

My answer:


The iptables-extensions(8) man page gives the syntax:

   icmp6 (IPv6-specific)
       This extension can be used if  `--protocol  ipv6-icmp'  or  `--protocol
       icmpv6' is specified. It provides the following option:

       [!] --icmpv6-type type[/code]|typename
              This  allows  specification  of  the ICMPv6 type, which can be a
              numeric ICMPv6 type, type and code, or one of  the  ICMPv6  type
              names shown by the command
               ip6tables -p ipv6-icmp -h

You can list the ICMPv6 types with ip6tables -p ipv6-icmp -h, as documented in the man page.

Valid ICMPv6 Types:
destination-unreachable
   no-route
   communication-prohibited
   address-unreachable
   port-unreachable
packet-too-big
time-exceeded (ttl-exceeded)
   ttl-zero-during-transit
   ttl-zero-during-reassembly
parameter-problem
   bad-header
   unknown-header-type
   unknown-option
echo-request (ping)
echo-reply (pong)
router-solicitation
router-advertisement
neighbour-solicitation (neighbor-solicitation)
neighbour-advertisement (neighbor-advertisement)
redirect

Of course, you should not be attempting to block these packets. It will cause applications to misbehave.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.