iptables can't block timestamp request with CentOS

Question

I am setting up firewall with iptables on my host. I want to disable timestamp ICMP request, but it's wired, I only allows type 8 (echo-request) comes into host, but event still, I can get timestamp from my host

64 bytes from xxxxxxxxx: icmp_seq=2 ttl=61 time=2.56 ms
TS:     36654775 absolute
        -6423
        3
        1
        -4
        0
        4
        0
        -2
Unrecorded hops: 1

I try to allow type 8 only, but it doesn't work, it appears that all I can do is to let all ICMP requests pass, or deny all of them, following is the configuration script I'm using.

iptables -F
iptables -X
iptables -Z
iptables -P INPUT   DROP
iptables -P OUTPUT  ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED -j ACCEPT

# allow the icmp
iptables -I INPUT -p icmp --icmp-type 8 -j ACCEPT

# services
iptables -A INPUT -p TCP --dport 22 -j ACCEPT # SSH
iptables -A INPUT -p UDP --sport 53 -j ACCEPT # DNS
iptables -A INPUT -p TCP --sport 53 -j ACCEPT # DNS
iptables -A INPUT -p TCP --dport 80 -j ACCEPT # HTTP
iptables -A INPUT -p TCP --dport 443  -j ACCEPT   # HTTPS

# allow the replay from outgoing established connection
iptables -A INPUT -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT

The version of Linux kernel is 2.6.18, and the version of iptables is v1.3.5. What's wrong with that? How to block time stamp requests?

Answer 1

I tried the timestamp option of ping, and it looks like the ICMP type remains at 8 and that the timestamp request is apart of the IP options. This is probably why you are not filtering the requests since they look just like regular echo requests to iptables.

There is a match extension called ipv4options you might want to explore for blocking the timestamps.