Managing PING through iptables

Allow/deny ping on Linux server. PING – Packet InterNet Gopher, is a computer network administration utility used to test the reachability of a host on an Internet Protocol (IP) network and to measure the total round-trip time for messages sent from the originating host to a destination computer and back.

Blocking PING on server is helpful sometimes, if the server is continue to face any type of DDoS attack by using the PING feature. By using iptables we can simply stop the PING option to and from your server. Before starting this, you must have an idea about What is iptables in Linux?

We can call it is the basics of Firewall in Linux. Iptables is a rule based firewall system and is normally pre-installed on a Unix operating system which is controlling the incoming and outgoing packets. By-default the iptables is running without any rules, we can create, add, edit rules to it. You will get more details from the abouve link. In this article I am going to explain how we can alow/block PING in and out to a server. This would be more useful as you are Linux server admin.

We can manage it by the help of ‘iptables‘. The ‘ping‘ is using ICMP to communicate. We can simply manage the ‘icmp : Internet Controlled Message Protocol’ from iptables.

Okay let’s start, Allow/deny ping on Linux server rules.

Required iptables command switches

The below pasted switches are required for creating a rule for managing icmp.

-A : Add a rule -D : Delete rule from table -p : To specify protocol (here 'icmp') --icmp-type : For specifying type -J : Jump to target

Normally using icmp types and its Codes Click here for ICMP Types and Codes

echo-request : 8 echo-reply : 0

Here I am explaining some examples.

What is iptables in Linux? What is iptables in Linux? We can call, it’s the basics of Firewall for Linux. Iptables is a rule based firewall system and it is normally pre-installed on a Unix operating system which is controlling the incoming and outgoing packets. By-default the iptables is running without any rules, we can create, add, edit rules into it. In this article I am trying to explain the basics of iptables with some common practices.

How to block PING to your server with an error message?

In this way you can partially block the PING with an error message ‘Destination Port Unreachable’. Add the following iptables rules to block the PING with an error message. (Use REJECT as Jump to target)

iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT

Example:

[email protected] ~]# ping 109.200.11.67 PING 109.200.11.67 (109.200.11.67) 56(84) bytes of data. From 109.200.11.67 icmp_seq=1 Destination Port Unreachable From 109.200.11.67 icmp_seq=2 Destination Port Unreachable From 109.200.11.67 icmp_seq=3 Destination Port Unreachable

To block without any messages use DROP as Jump to target.

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP

Allow Ping from Outside to Inside

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

How to block PING from your server?

In this way you can block PING option from your server to outside. Add these rules to your iptables to do the same.

Block PING operation with message ‘Operation not permitted’

iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP

Example:

[email protected] [~]# ping google.com PING google.com (173.194.34.136) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted

To block with out any error messages

For this, DROP the echo-reply to the INPUT chain of your iptables.

iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP iptables -A INPUT -p icmp --icmp-type echo-reply -j DROP

Allow Ping from Inside to Outside

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

You can use the icmp code instead of icmp-type name for adding rule to iptables.

That’s it. Try this and let me know your feedback.

Hooooray…. It’s time to relax!! Just watch A Breakfast Ride To Chota Ladakh

Related Posts

1. What is iptables in Linux ?

2. How to save/backup existing iptables rules to a file