diff --git a/handlers/main.yml b/handlers/main.yml
index 1a3235974946af84cdeba8b02e1edf325dd912d5..b6446b435ae503b09aff9a395dbbb13368135b5a 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -13,7 +13,7 @@
       ansible.builtin.apt:
         name: [
           'iptables-persistent',
-          'netfilter-persistent',
+          'netfilter-persistent',    # required, iptables plugin for netfilter-persistent
         ]
         state: present
       listen: "save iptables rules"
diff --git a/tasks/configure_iptables.yml b/tasks/configure_iptables.yml
index 00b634e368c70212f01b31a681716e049fb637e3..2ecc827db8f080c33604d911022ce75decdd5e0b 100644
--- a/tasks/configure_iptables.yml
+++ b/tasks/configure_iptables.yml
@@ -117,6 +117,39 @@
     - save iptables rules
 # http://shouldiblockicmp.com
 
+
+# OID: 1.3.6.1.4.1.25623.1.0.103190 MITIGATION:
+# - http://www.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.103190
+# - https://access.redhat.com/solutions/6123331
+#   "Need to disable ICMP type 13 (timestamp requests) and 14 (timestamp
+#    replies) without using firewalld, iptables, or nftables. (...)
+#    At this time there is no method to disable ICMP timestamp requests and
+#    replies in RHEL without using a firewall solution."
+# - https://beyondsecurity.freshdesk.com/support/solutions/articles/44001709477--how-can-i-mitigate-icmp-timestamp-
+#   "Linux offers neither a sysctl nor a /proc/sys/net/ipv4 interface to
+#    disable ICMP timestamp responses. Therefore, you should block ICMP on the
+#    affected host using iptables, and/or block it at the firewall."
+# - The risk is mainly mitigated by using the "DROP" Default Policy for the
+#   INPUT chain in iptables and only allowing specific ICMP packes. However,
+#   to mitigate against misconfigurations of the Default Policy, we now
+#   explicitely DROP these packages.
+# Kudos to @Steidl for building the initial version of this.
+- name: >
+    "mitigate OID: 1.3.6.1.4.1.25623.1.0.103190 'ICMP Timestamp Reply
+     Information Disclosure'"
+  ansible.builtin.iptables:
+    action: "insert"
+    chain: "{{ item.chain | default('INPUT') }}"
+    comment: "{{ item.comment | default(omit) }}"
+    icmp_type: "{{ item.icmp_type | default(omit) }}"
+    jump: "DROP"
+    protocol: "icmp"
+    state: "{{ item.state | default('present') }}"
+    table: "filter"
+  loop: "{{ vault_iptables_icmp | flatten(levels=1) }}"
+  notify:
+    - save iptables rules
+
 # TODO: Outgoing iptables Regeln erstellen, und bloß keine vergessen!!!
 
 ## Configure specific rules - Chain OUTPUT