Skip to content

Disable ICMP redirects on Linux

Overview

ICMP redirects are messages sent by routers to inform hosts of a better route to a destination. While useful in some network configurations, they can pose security risks as malicious actors could potentially use them to redirect traffic through compromised systems.

For VPN endpoints and security-sensitive systems, it is often recommended to disable ICMP redirects.

Note

This guide shows how to disable ICMP redirects on Linux using sysctl.

Consult your operating system documentation for more information.

Apply configuration

Disable sending ICMP redirects

To prevent the system from sending ICMP redirect messages:

sudo sysctl -w net.ipv4.conf.all.send_redirects=0
sudo sysctl -w net.ipv4.conf.default.send_redirects=0
sudo sysctl -w net.ipv4.conf.connect.send_redirects=0

Verify the configuration

To verify the current settings:

sysctl -a --pattern redirects

Confirm that the relevant settings are 0.

Make configuration persistent

The configuration must be made persistent to avoid needing to manually re-apply it following a system reboot.

Once the configuration has been applied and tested, make it permanent by adding the following entries to /etc/sysctl.conf or creating a new file in /etc/sysctl.d/ (for example, /etc/sysctl.d/99-disable-icmp-redirects.conf):

# Disable ICMP redirects
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.connect.send_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.connect.accept_redirects=0

To apply the configuration from the file without rebooting:

sudo sysctl -p /etc/sysctl.d/99-disable-icmp-redirects.conf

Or to reload all sysctl settings:

sudo sysctl --system

See man sysctl.conf and man sysctl for more information.

Security considerations

Disabling ICMP redirects is particularly important for:

  • VPN endpoints and gateways
  • Systems with multiple network interfaces
  • Security-sensitive hosts
  • Systems in untrusted networks

Warning

In rare cases, disabling ICMP redirects may affect routing in complex network topologies where dynamic route updates are expected.

Test the configuration in your specific environment before deploying widely.

See Also