Linux disable or drop / block ping packets all together

Q. How do I disable or drop all ping packats all together?

A. Generally you can use iptables to block or allow ping requests.

You can setup kernel variable to drop all ping packets. Type the following command at shell prompt:
# echo “1” > /proc/sys/net/ipv4/icmp_echo_ignore_all

This instructs the kernel to simply ignore all ping requests (ICMP type 0 messages). To enable ping request type the command:
echo “0” > /proc/sys/net/ipv4/icmp_echo_ignore_all

You can add following line to /etc/sysctl.conf file:
# vi /etc/sysctl.conf
Append following line:
net.ipv4.icmp_echo_ignore_all = 1

Save and close the file.

Sometimes ping request can be handy for testing your own server. You can disable ICMP type 0 messages in the firewall so that local administrators to continue to use ping command for their own server. Following command block all ICMP packets including ping request:
# iptables -A INPUT -p icmp -j DROP

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 14 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
14 comments… add one
  • V.Balaviswanathan Jun 18, 2009 @ 8:26

    Thanks for this information. Its helpful for us, How to do the same for debian based machines?

  • Nwb Nov 11, 2009 @ 16:26

    it’s good but when i do it global users can’t connect to FTP :S

  • sandy May 2, 2011 @ 7:22

    Hello Vivek sir,

    i want to restrict user sandy to ping any system in my network. by using sudoers file.

    how it can be possible.

    • K.Santhosh May 4, 2011 @ 7:54

      Hi Sandy,

      As Ping command doesnot require sudo access, you can restrict ping with sudo.
      Ping is just a normal user command.

      • sandy May 4, 2011 @ 13:03

        Thanks For Reply

        you means we cannot restrict ping with using sudoers file.

        Waiting For Reply.

        • K.Santhosh May 4, 2011 @ 16:02

          You can try by adding the below line to /etc/sudoers file

          ALL = !/bin/ping

          Replace username field with the user whom you want to block access to ping.

          • K.Santhosh May 4, 2011 @ 16:04

            sorry, in the previous reply i missed username field, correct syntax is

            sandy ALL = !/bin/ping

  • sandy May 5, 2011 @ 6:47

    Hello Santosh Sir,
    Thanks for reply.

    You given stpes i followed but no luck . sandy user able to ping. i want to block sandy user to ping any other machine in network.

    MY /etc/suderos file i paste here pls check any wrong entry.

    ## The COMMANDS section may have other options added to it.
    ## Allow root to run any commands anywhere
    root ALL=(ALL) ALL
    sandy ALL= !/bin/ping
    ## Allows members of the ‘sys’ group to run networking, software,
    ## service management apps and more.

    ## Allows people in group wheel to run all commands
    # %wheel ALL=(ALL) ALL

    ## Same thing without a password
    # %wheel ALL=(ALL) NOPASSWD: ALL

    sorry for my poor english.

    Please help me.

  • MoCua.Com Jul 18, 2011 @ 0:14

    very thanks

  • Manu Jul 27, 2011 @ 22:52

    Is there a way to block outgoing ping requests? I am trying to kill any ping request going out, like one of the internal server or what not. I am trying to add this last layer of security so if someone obtains the wireless password it would have hard time finding other server outside of the wireless network.

    I am running a linksys WRT54GL with tomato on it. I already modified /proc/sys/net/ipv4/icmp_echo_ignore_all files but I guess that will stop only incoming ping requests.
    Any ideas?

    Thanks in advance.


    • Steve Gamble Dec 20, 2011 @ 21:17

      Depending on the version and flavour of O/S you can play with permisions of /bin/ping. If RHEL and the suid is set change the permission to remove that bit and leave as 755. This will fail as ping uses a ICMP system call which is owned by root (that’s why the suid). If a different flavor if Linux just change the permission 700 and no outgoing pings

      Good luck

  • brian Nov 14, 2015 @ 11:28

    now how to enable the ping again?

    • 如何让我遇见你 Nov 19, 2015 @ 9:03

      delete this rule

  • Petre Gheorghe Feb 18, 2016 @ 23:06

    Not working

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum