ICMP Redirects are used to update hosts of optimal alternate routes to a destination. These are updates normally sent by routing devices when the router becomes aware of an alternate route to reach a destination than the current one. This method is not very efficient and can cause security concerns.
However, this can be fixed at run time (dynamically) without having to reboot the PC or server running Suse Linux or OpenSuse operating system or at boot time (system startup).
Disable ICMP Redirects Accept & Send at run time
Using sysctl utility
OpenSuse:/etc/sysconfig/network # /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.accept_redirects = 0
OpenSuse:/etc/sysconfig/network # /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.all.send_redirects = 0
This disables ICMP Redirect accept & Send on all the interfaces completely. However, this can be done at the interface level as well. Simply replace “all” in the above command with the interface name (for example “eth0”)
So works like this
OpenSuse:/etc/sysconfig/network # sysctl -w net.ipv4.conf.eth0.accept_redirects=0
net.ipv4.conf.eth0.accept_redirects = 0
OpenSuse:/etc/sysconfig/network # sysctl -w net.ipv4.conf.eth0.send_redirects=0
net.ipv4.conf.eth0.send_redirects = 0
For Ipv6, again simply replace “ipv4” to “ipv6” in the above command. So, should look like
OpenSuse:/etc/sysconfig/network # sysctl -w net.ipv6.conf.eth0.accept_redirects=0
net.ipv6.conf.eth0.accept_redirects = 0
OpenSuse:/etc/sysconfig/network # sysctl -w net.ipv6.conf.eth0.send_redirects=0
net.ipv6.conf.eth0.send_redirects = 0
Even a simpler procedure would be to pass the value “0” to the above kernel variables as follows
OpenSuse:/etc/sysconfig/network # echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
OpenSuse:/etc/sysconfig/network # echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
OpenSuse:/etc/sysconfig/network # echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
OpenSuse:/etc/sysconfig/network # echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
Again, for Ipv6 replace “ipv4” in the above commands and at the interface level replace “all” with the interface name (ex: “eth0”)
All of the above doesn’t require a system reboot and changes are instant. However, the changes are lost when the system is restarted the next time.
Permanent Setting at Boot time
In order to have these settings at the boot time, you need to add the equivalent entries for the above commands in the /etc/sysctl.conf configuration file. Simply edit the /etc/sysctl.conf file and add the following entries:
For IPv4
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.send_redirects = 1
Ipv4 at interface level
net.ipv4.conf.eth0.accept_redirects = 1
net.ipv4.conf.eth0.send_redirects = 1
For Ipv6
net.ipv6.conf.all.accept_redirects = 1
net.ipv6.conf.all.send_redirects = 1
Ipv6 at interface level
net.ipv6.conf.eth0.accept_redirects = 1
net.ipv6.conf.eth0.send_redirects = 1
Thats it. The next time, you reboot the PC, the settings are still there!!!