The Internet Control Message Protocol (ICMP) has many messages that are identified by a "type" field. You need to use 0 and 8 ICMP code types.
=> Zero (0) is for echo-reply
=> Eight (8) is for echo-request.
To enable ICMP ping incoming client request use following iptables rule (you need to add following rules to script).
My default firewall policy is blocking everything.
Task: Enable or allow ICMP ping incoming client request
Rule to enable ICMP ping incoming client request ( assuming that default iptables policy is to drop all INPUT and OUTPUT packets)
SERVER_IP="202.54.10.20" iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $SERVER_IP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 0 -s $SERVER_IP -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
Task: Allow or enable outgoing ping request
To enable ICMP ping outgoing request use following iptables rule:
SERVER_IP="202.54.10.20" iptables -A OUTPUT -p icmp --icmp-type 8 -s $SERVER_IP -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d $SERVER_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
How do I disable outgoing ICMP request?
Use the following rules:
iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP
OR
iptables -A OUTPUT -p icmp --icmp-type 8 -j DROP
ICMP echo-request type will be block by above rule.
See ICMP TYPE NUMBERS (type fields). You can also get list of ICMP types, just type following command at shell prompt:
# /sbin/iptables -p icmp -h
- Email this to a friend
- Printable version
- Rss Feed
- Last Updated: Oct/7/2007
{ 15 comments… read them below or add one }
Thank you for the above post. I find what i was looking for about 15min googling.
Thanks.
This seems to be incomplete. An ICMP ping is an “icmp echo request” that is followed up by an “icmp echo reply”. So you need to specify the appropriate “–icmp-type” in your incoming and outgoing chains.
Possible values for –icmp-type are listed by “iptables -p icmp -h”. There are a icmp packets you dont want to recieve or reply to.
polarizers 2cent
http://www.codixx.de/polarizer.html
>This seems to be incomplete
Noop, this is not incomplete.
>Possible values for –icmp-type are listed by “iptables -p icmp -h”. There are a icmp packets you dont want to recieve or reply to.
Yup, but you don’t have to use them. I just prefer to keep it simple aka KISS. My Default firewall policy is block everything, so this works w/o problem.
I beg to differ. IT is incomplete. You block everything, then you open all ICMP traffic. How does this block other types of ICMP traffic?
i need to disable ougoing ICMP from my server with iptables, how do I do that?
I have updated post as per your request see above.
fsckyou, you are right i have updated the entire rules, thanks :D
Hi,
How block ping request with ENDIAN firewall?
Best regards
Hi,
Thanks for your tip, it’s work perfectly.
Just one question :
Is the options –state NEW,ESTABLISHED,RELATED are mandatory ?
China Landscape
–state will improve security and it is one of the best features of Iptables. I recommend keeping it..
Thanks for info! We’ll use this info in our script firewall.
iptables -A INPUT -p icmp –icmp-type 8 -s 0/0 -d $SERVER_IP -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
Error: Bad argument `state’
AK, you have a typo. Should be “–state”
@ak,
You must replace $SERVER_IP with actual IP address or create a variable itself.
Nice…how about i can ping anyone but none cant ping me?…i mad lil rule
iptables -A OUTPUT -p icmp –icmp-type echo-reply -s 192.168.1.50 -d 192.168.1.0/24 -j REJECT
this for an single subnet :-)