Linux Iptables allow or block ICMP ping request

by on June 28, 2005 · 24 comments· LAST UPDATED October 7, 2007

in , ,

The Internet Control Message Protocol (ICMP) has many messages that are identified by a "type" field. You need to use 0 and 8 ICMP code types.

=> Zero (0) is for echo-reply

=> Eight (8) is for echo-request.

To enable ICMP ping incoming client request use following iptables rule (you need to add following rules to script).

My default firewall policy is blocking everything.

Task: Enable or allow ICMP ping incoming client request

Rule to enable ICMP ping incoming client request ( assuming that default iptables policy is to drop all INPUT and OUTPUT packets)

SERVER_IP="202.54.10.20"
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $SERVER_IP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s $SERVER_IP -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Task: Allow or enable outgoing ping request

To enable ICMP ping outgoing request use following iptables rule:

SERVER_IP="202.54.10.20"
iptables -A OUTPUT -p icmp --icmp-type 8 -s $SERVER_IP -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d $SERVER_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

How do I disable outgoing ICMP request?

Use the following rules:

iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP

OR

iptables -A OUTPUT -p icmp --icmp-type 8 -j DROP

ICMP echo-request type will be block by above rule.

See ICMP TYPE NUMBERS (type fields). You can also get list of ICMP types, just type following command at shell prompt:
# /sbin/iptables -p icmp -h

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 24 comments… read them below or add one }

1 Anonymous August 1, 2005 at 4:19 am

Thank you for the above post. I find what i was looking for about 15min googling.
Thanks.

Reply

2 polarizers 2cent October 5, 2005 at 3:25 pm

This seems to be incomplete. An ICMP ping is an “icmp echo request” that is followed up by an “icmp echo reply”. So you need to specify the appropriate “–icmp-type” in your incoming and outgoing chains.

Possible values for –icmp-type are listed by “iptables -p icmp -h”. There are a icmp packets you dont want to recieve or reply to.

polarizers 2cent
http://www.codixx.de/polarizer.html

Reply

3 LinuxTitli October 5, 2005 at 11:29 pm

>This seems to be incomplete
Noop, this is not incomplete.

>Possible values for –icmp-type are listed by “iptables -p icmp -h”. There are a icmp packets you dont want to recieve or reply to.

Yup, but you don’t have to use them. I just prefer to keep it simple aka KISS. My Default firewall policy is block everything, so this works w/o problem.

Reply

4 fsckyou November 17, 2005 at 4:39 am

I beg to differ. IT is incomplete. You block everything, then you open all ICMP traffic. How does this block other types of ICMP traffic?

Reply

5 Anonymous January 31, 2006 at 7:45 pm

i need to disable ougoing ICMP from my server with iptables, how do I do that?

Reply

6 LinuxTitli January 31, 2006 at 9:51 pm

I have updated post as per your request see above.

Reply

7 LinuxTitli January 31, 2006 at 9:52 pm

fsckyou, you are right i have updated the entire rules, thanks :D

Reply

8 OSCAR June 28, 2007 at 4:58 pm

Hi,
How block ping request with ENDIAN firewall?
Best regards

Reply

9 China Landscape October 8, 2007 at 4:48 am

Hi,

Thanks for your tip, it’s work perfectly.
Just one question :
Is the options –state NEW,ESTABLISHED,RELATED are mandatory ?

China Landscape

Reply

10 nixCraft October 8, 2007 at 5:02 am

–state will improve security and it is one of the best features of Iptables. I recommend keeping it..

Reply

11 Hide IP December 2, 2007 at 7:51 am

Thanks for info! We’ll use this info in our script firewall.

Reply

12 ak November 3, 2008 at 3:13 am

iptables -A INPUT -p icmp –icmp-type 8 -s 0/0 -d $SERVER_IP -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

Error: Bad argument `state’

Reply

13 Bill December 8, 2008 at 6:48 pm

AK, you have a typo. Should be “–state”

Reply

14 nixCraft December 8, 2008 at 8:20 pm

@ak,

You must replace $SERVER_IP with actual IP address or create a variable itself.

Reply

15 ashwani April 24, 2009 at 8:27 pm

Nice…how about i can ping anyone but none cant ping me?…i mad lil rule

iptables -A OUTPUT -p icmp –icmp-type echo-reply -s 192.168.1.50 -d 192.168.1.0/24 -j REJECT

this for an single subnet :-)

Reply

16 hamed August 7, 2009 at 4:51 am

thank u alot

Reply

17 myHPLinuxdummyServersux October 20, 2009 at 9:08 pm

hi.. im from a networking background… couldnt play around that much at home coz of ChISCO too $$$$… i heard linux also can work as a router with their IPtables stuff… may i know:
1. SERVER_IP=”202.54.10.20″ is whos address? me as a server or the client’s IP?
2. 0/0 ?
3. NEW,ESTABLISHED,RELATED (try to understand this on9, maybe yall have a clearer explanation)
4. -m?

Reply

18 Jorge Filippo October 29, 2009 at 11:11 am

How can I accept ICMP with a specific packetsize? I want to be able to ping my server from my windows notebook, but with -l 666 (for example), for monitoring purposes. But IPTABLES doesn’t seem to have an option to accept or denay a specific ping size. Is that correct?. Thanks in advance.

Reply

19 Bill May 21, 2010 at 3:46 pm

This may be a dumb question, but I can’t find the answer anywhere else. After I make a rule change, do I have to reload iptables or stop/start to activate the change?

Reply

20 nixCraft May 21, 2010 at 4:12 pm

Yes, you need to restart firewall if you made changes to config file.

Reload script if you made changes to a shell script that loads all other rules.

Reply

21 Michael August 7, 2010 at 5:38 pm

Thanks a lot it worked perfectly for me.

Reply

22 Sun October 6, 2010 at 4:43 pm

Actually worked right away didnt need to restart atall thanks

Reply

23 Snehal October 25, 2011 at 1:38 pm

Thanks very much and appricate your knowledge sharing. This was helped me to block icmp traffic for my application testing.

Reply

24 help February 1, 2012 at 6:18 pm

hi,
i want to do ip spoofing for my excersize but i can’t !!!
the question is :
use iptables to modify your IP address to 10.2.3.4 when sending out icmp requests.

Reply

Leave a Comment

Tagged as: , , , , , ,

Previous post:

Next post: