≡ Menu

echo request

Generally, I prefer to use nmap command for ICMP network scanning to probe all my network devices. By finding out unprotected devices you can improve network security and troubleshoot network problems. Recently, I discovered a cool utility called sing. It allows you to sends ICMP packets fully customized from command line. It allows you to do ICMP network scanning. Now you must be wondering, why perform ICMP network scanning? You can troubleshoot many network related problems without leaving your desk. For example,

  1. Find out using record route IP option to see the route that takes to vpn.nixcraft.in
  2. Find out remote server / network device operating system
  3. Diagnosing data-dependent problems in a network
  4. Test firewall security for invalid and garbage ICMP packets
  5. ICMP message types that generate responses from target routers / firewalls / IDS and other hosts
  6. Try to spoof router address and see how overall network reacts and many other things

This tool is not for a new UNIX / Linux user. It requires some sort of understanding for Internet hosts - communication layers and ICMP router discovery messages etc.
[click to continue…]

The Internet Control Message Protocol (ICMP) has many messages that are identified by a "type" field. You need to use 0 and 8 ICMP code types.

=> Zero (0) is for echo-reply

=> Eight (8) is for echo-request.

To enable ICMP ping incoming client request use following iptables rule (you need to add following rules to script).

My default firewall policy is blocking everything.

Task: Enable or allow ICMP ping incoming client request

Rule to enable ICMP ping incoming client request ( assuming that default iptables policy is to drop all INPUT and OUTPUT packets)

SERVER_IP="202.54.10.20"
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $SERVER_IP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s $SERVER_IP -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Task: Allow or enable outgoing ping request

To enable ICMP ping outgoing request use following iptables rule:

SERVER_IP="202.54.10.20"
iptables -A OUTPUT -p icmp --icmp-type 8 -s $SERVER_IP -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d $SERVER_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

How do I disable outgoing ICMP request?

Use the following rules:

iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP

OR

iptables -A OUTPUT -p icmp --icmp-type 8 -j DROP

ICMP echo-request type will be block by above rule.

See ICMP TYPE NUMBERS (type fields). You can also get list of ICMP types, just type following command at shell prompt:
# /sbin/iptables -p icmp -h