ICMP Redirect Linux Kernel Settings

How to display and modify the ICMP Redirect kernel settings on Linux

ICMP Redirects

You can check the current setting like so:

$ sysctl net.ipv4.conf.default.accept_redirects
net.ipv4.conf.default.accept_redirects = 1

$ sysctl net.ipv4.conf.default.secure_redirects
net.ipv4.conf.default.secure_redirects = 1

$ sysctl net.ipv4.conf.default.shared_media
net.ipv4.conf.default.shared_media = 1

$ sysctl net.ipv6.conf.default.accept_redirects
net.ipv6.conf.default.accept_redirects = 1

The accept_redirects setting enables acceptance of ICMP redirects.

The secure_redirects setting, if enabled, ensures only redirects from a default gateway are accepted (if accept_redirects is itself enabled).

The shared_media setting informs the kernel whether the physical network connected to the a network interface is a shared medium, or not. need more on this

Note: The default keyword changes the interface default setting for any interface that does not have a custom setting specified (even if it matches the default setting). You can replace it with either a specific interface name (so the setting applies only to that interface) or the keyword all to configure all interfaces at once (ignoring interface specific custom settings).

Dynamic Configuration

To change the running configuration, use this command with your desired value:

$ sysctl -w net.ipv4.conf.default.accept_redirects=0|1
$ sysctl -w net.ipv4.conf.default.secure_redirects=0|1
$ sysctl -w net.ipv4.conf.default.shared_media=0|1
$ sysctl -w net.ipv6.conf.default.accept_redirects=0|1

You can confirm like so:

$ sysctl net.ipv4.conf.default.accept_redirects
$ sysctl net.ipv4.conf.default.secure_redirects
$ sysctl net.ipv4.conf.default.shared_media
$ sysctl net.ipv6.conf.default.accept_redirects

Permanent Configuration

To make this setting persistent across reboots, edit the /etc/sysctl.conf file like so, save and quit:

$ vi /etc/sysctl.conf

net.ipv4.conf.default.accept_redirects = 0|1
net.ipv4.conf.default.secure_redirects = 0|1
net.ipv4.conf.default.shared_media = 0|1
net.ipv6.conf.default.accept_redirects = 0|1

:wq

You can then reboot to check the setting persists, or alternatively, run this command to load them:

$ sysctl -p /etc/sysctl.conf

Confirm with this:

$ sysctl net.ipv4.conf.default.accept_redirects
$ sysctl net.ipv4.conf.default.secure_redirects
$ sysctl net.ipv4.conf.default.shared_media
$ sysctl net.ipv6.conf.default.accept_redirects