Managing PING through iptables
Allow/deny ping on Linux server. PING – Packet InterNet Gopher, is a computer network administration utility used to test the reachability of a host on an Internet Protocol (IP) network and to measure the total round-trip time for messages sent from the originating host to a destination computer and back.
Blocking PING on server is helpful sometimes, if the server is continue to face any type of DDoS attack by using the PING feature. By using iptables we can simply stop the PING option to and from your server. Before starting this, you must have an idea about What is iptables in Linux?
We can call it is the basics of Firewall in Linux. Iptables is a rule based firewall system and is normally pre-installed on a Unix operating system which is controlling the incoming and outgoing packets. By-default the iptables is running without any rules, we can create, add, edit rules to it. You will get more details from the abouve link. In this article I am going to explain how we can alow/block PING in and out to a server. This would be more useful as you are Linux server admin.
We can manage it by the help of ‘iptables‘. The ‘ping‘ is using ICMP to communicate. We can simply manage the ‘icmp : Internet Controlled Message Protocol’ from iptables.
Okay let’s start, Allow/deny ping on Linux server rules.
Required iptables command switches
The below pasted switches are required for creating a rule for managing icmp.
-A : Add a rule
-D : Delete rule from table
-p : To specify protocol (here 'icmp')
--icmp-type : For specifying type
-J : Jump to target
Normally using icmp types and its Codes Click here for ICMP Types and Codes
echo-request : 8
echo-reply : 0
Here I am explaining some examples.
What is iptables in Linux?
What is iptables in Linux? We can call, it’s the basics of Firewall for Linux. Iptables is a rule based firewall system and it is normally pre-installed on a Unix operating system which is controlling the incoming and outgoing packets. By-default the iptables is running without any rules, we can create, add, edit rules into it.
In this article I am trying to explain the basics of iptables with some common practices.
How to block PING to your server with an error message?
In this way you can partially block the PING with an error message ‘Destination Port Unreachable’. Add the following iptables rules to block the PING with an error message. (Use REJECT as Jump to target)
iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT
Example:
[root@support ~]# ping 109.200.11.67
PING 109.200.11.67 (109.200.11.67) 56(84) bytes of data.
From 109.200.11.67 icmp_seq=1 Destination Port Unreachable
From 109.200.11.67 icmp_seq=2 Destination Port Unreachable
From 109.200.11.67 icmp_seq=3 Destination Port Unreachable
To block without any messages use DROP as Jump to target.
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP
Allow Ping from Outside to Inside
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
How to block PING from your server?
In this way you can block PING option from your server to outside. Add these rules to your iptables to do the same.
Block PING operation with message ‘Operation not permitted’
iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP
Example:
root@test [~]# ping google.com
PING google.com (173.194.34.136) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
To block with out any error messages
For this, DROP the echo-reply to the INPUT chain of your iptables.
iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -p icmp --icmp-type echo-reply -j DROP
Allow Ping from Inside to Outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
You can use the icmp code instead of icmp-type name for adding rule to iptables.
That’s it. Try this and let me know your feedback.
Hooooray…. It’s time to relax!! Just watch A Breakfast Ride To Chota Ladakh
Related Posts
1. What is iptables in Linux ?
2. How to save/backup existing iptables rules to a file
Thank you so very much for showing how to block pings using iptables. Would you be able to block pings using firewalld using the rich rules?
Regards,
Hi, I have an HP server with Centos. I used to login as root from outside. Yesterday for testing purposes I enabled the Selinux enforcing and reboot the server for relabeling. After that I am unable to ssh to the server. Cannot login locally as root even though Root login is permitted in sshd_config. I have disabled the Selinux now completely from sysconfig/selinux and rebooted the server and did the relabeling again using fixfiles command also. still, locally i cannot login from root as it gives me error “root logins are not allowed”(root login is permitted in sshdconf). I restarted the sshd service also but still it is not possible to login locally from root. remote login from ssh is also not possible. When I do ssh it gives me output of “connection timeout” and when i do ping it gives me “no answer from server”. The ILO is working fine.
¡Very useful post!
You can also block ICMP IPv6 reply traffic using:
iptables -A INPUT -p icmpv6 –icmp-type echo-request -j DROP
Thank you!
Great stuff from you, man. I’ve read your stuff, and you’re just too dangerous. I love what youve got here, love what you say, and you say it. You make it entertaining and you still manage to keep it smart.
I’m happy to hear this!!
How can I implement following requirement?
Use iptables commands in the INPUT chain in Machine A to only accept a limited number of ICMP ping echo request packets from Machine B(assume IP address is 172.168.10.2), so that when we issue the command “ping -c 60 ” in Machine B, only the following ping requests are successful:
icmp_seq = 1-7, 9, 13, 17, 21, 25, 29, 33, 37, 41, 45, 49, 53, 57
Meanwhile, Machine A can receive all kinds of packets from other machine without any limitation.
Hi crybit,
We can use tip application for monitor status iptables ?
if we have many server iptables running, and have someone stop or start service iptables. How to know issue?
Thanks,
oke terimasiih
You’re welcome, Demmy!!
hello,
how to save ip table that we create. so, when i restart the server ip table still there.
thank you,
Aditia,
Please execute the following command:
Thank you for help Arunlal Ashok.
Salam,
Thank you
You are most welcome!!
how can we write a rule to ping a destination using Alice of lookback (lo:0)? please help.
Hello,
how block ALL possibilities of pinging? My iptables is set to
iptables -A INPUT -j sshguard
ip6tables -A INPUT -j sshguard
Thank You!
What is the function of echo-reply and echo-request?
Those are ICMP message types to test the hosts availability. This is explained in the following links:
tcpipguide.com/free/t_ICMPv4EchoRequestandEchoReplyMessages.htm
erg.abdn.ac.uk/users/gorry/course/inet-pages/icmp-code.html
So my visitors will be effected anyhow ?
No!
Hey Arunlal…
how do you Drop inbound ICMP from outside the local subnet…..?