Linux Iptables allow or block ICMP ping request

So how do you allow or block ping in iptables when using Linux cloud or bare metal server? The Internet Control Message Protocol (ICMP) has many messages that are identified by a “type” field. Therefore, you need to use 0 and 8 ICMP code types for ICMP ping requests as follows:

Advertisement

  1. Zero (0) is for echo-reply (pong)
  2. Eight (8) is for echo-request (ping)

This page explains how to allow or block ICMP ping request using the iptables command.

Linux iptables rules ICMP ping request syntax

To enable ICMP ping incoming client request use following iptables rule (you need to add following rules to script). My default firewall policy is blocking everything. The syntax is:

iptables -A {INPUT|OUTPUT} -p icmp -j {ACCEPT|REJECT|DROP}
iptables -A {INPUT|OUTPUT} -p icmp --icmp-type {0|8}  -j {ACCEPT|REJECT|DROP}
iptables -A {INPUT|OUTPUT} -p icmp --icmp-type {echo-reply|echo-request} -j {ACCEPT|REJECT|DROP}
iptables -A {INPUT|OUTPUT} -p icmp --icmp-type {echo-reply|echo-request} -m state --state NEW,ESTABLISHED,RELATED -j {ACCEPT|REJECT|DROP}

Where,

  • -A {INPUT|OUTPUT} : Append firewall rule to INPUT or OUTPUT chain.
  • -p icmp : Use the icmp protocol.
  • -p icmp --icmp-type {0|8} OR --icmp-type {echo-reply|echo-request} : icmp match option by number such as ‘0’ or by name such as ‘echo-reply’.
  • -j {ACCEPT|REJECT|DROP} : Tell Linux what to do if the packet matches it. The ACCEPT means to let the packet through. The DROP or REJECT means to drop the packet on the floor. Use the REJECT when you want the other end (client or host or bot) to know the port is unreachable and use the DROP for connections to hosts you do not want people/bots/client to see.
  • -m state --state NEW,ESTABLISHED,RELATED : Extended icmp packet matching using the --ctstate or -m state option. The values are:
    • INVALID : The packet is associated with no known connection.
    • NEW : The packet has started a new connection or otherwise associated with a connection which has not seen packets in both directions.
    • ESTABLISHED : The packet is associated with a connection which has seen packets in both directions.
    • RELATED : The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.

Let us see some examples.

NOTE: All commands must be typed as the root user. See how to log in as root user.

Allow ALL ICMP traffic to firewall

Iptables accept ICMP:

iptables -A INPUT -p icmp -j ACCEPT

Now users can ping your server or firewall using the ping command. For example:
$ ping -c 4 192.168.2.17
$ ping -c 4 www.cyberciti.biz

DROP ALL ICMP traffic to firewall

Iptables DROP or reject ICMP:

iptables -A INPUT -p icmp -j DROP

## OR let client politely know ping request ##
## was dropped and rejected  ##
iptables -A INPUT -p icmp -j REJECT

Listing all rules including icmp rules in iptables INPUT chain

Run the commands by pasing the -L or --list option:
$ sudo iptables -t filter -L INPUT -v
$ sudo iptables --table filter --list INPUT --verbose

You can show or list all iptables rules with line numbers on Linux, run:
$ sudo iptables -t filter -L INPUT -v --line-numbers
$ sudo iptables --table filter --list INPUT --verbose --line-numbers

Deleting icmp rule

You can remove matching rule from chain using the following syntax (-D or --delete option) :
$ sudo iptables -D {chain}
# delete by line number #
$ sudo iptables -D {chain} {rule-number}
# Remove by matching rule #
$ sudo iptables -D INPUT -p icmp -j ACCEPT
$ sudo iptables -D INPUT -p icmp -j DROP -v
$ sudo iptables -D INPUT -p icmp -j REJECT -v

Linux Iptables allow or block ICMP ping request demo

Click to enlarge

Task: Enable or allow ICMP ping incoming client request

Rule to enable ICMP ping incoming client request ( assuming that default iptables policy is to drop all INPUT and OUTPUT packets):

## Server SERVER IP HERE ##
SERVER_IP="202.54.10.20"

## Now allow ping request ##
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d "$SERVER_IP" -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s "$SERVER_IP" -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Task: Allow or enable outgoing ping request

To enable ICMP ping outgoing request use following iptables rule:

SERVER_IP="202.54.10.20"
iptables -A OUTPUT -p icmp --icmp-type 8 -s $SERVER_IP -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d $SERVER_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

How do I disable outgoing ICMP request?

Use the following rules:

iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP

## OR ##
iptables -A OUTPUT -p icmp --icmp-type 8 -j DROP

The ICMP echo-request type will be blocked by above rule.

See ICMP TYPE NUMBERS (type fields) here. You can also get list of ICMP types, just type following command at shell prompt:
$ iptables -p icmp -h
Values are:

Valid ICMP Types:
any
echo-reply (pong)
destination-unreachable
   network-unreachable
   host-unreachable
   protocol-unreachable
   port-unreachable
   fragmentation-needed
   source-route-failed
   network-unknown
   host-unknown
   network-prohibited
   host-prohibited
   TOS-network-unreachable
   TOS-host-unreachable
   communication-prohibited
   host-precedence-violation
   precedence-cutoff
source-quench
redirect
   network-redirect
   host-redirect
   TOS-network-redirect
   TOS-host-redirect
echo-request (ping)
router-advertisement
router-solicitation
time-exceeded (ttl-exceeded)
   ttl-zero-during-transit
   ttl-zero-during-reassembly
parameter-problem
   ip-header-bad
   required-option-missing
timestamp-request
timestamp-reply
address-mask-request
address-mask-reply

Summing up

Blocking ping/pong (ICMP requests) may offer minimal benefit with modern networks. By default, iptables should allow ping requests for troubleshooting purposes. I suggest you rate limit ICMP ping requests instead of blocking them completely. The syntax is:

# Syntax rate limit icmp ping #
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit {NUMBER}/sec --limit-burst {NUMBER} -j ACCEPT

# Examples rate limiting ICMP ping #
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 30/minute --limit-burst 120 -j ACCEPT

# Log icmp floor 
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/minute --limit-burst 2 -j LOG --log-prefix " PING-PONG-FLOOD "

# DROP it
iptables -A INPUT -p icmp --icmp-type 8 -j DROP

# Verify after some time both LOG and DROP
iptables -L -n -v

Where

  • --limit rate[/second|/minute|/hour|/day] : Maximum average matching rate: specified as a number, with an optional `/second’, `/minute’, `/hour’, or `/day’ suffix; the default is 3/hour.
  • --limit-burst number : Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5.

When limit reached you will get message as follows in your logs. Use the combination of grep command:
$ dmesg | grep PING-PONG-FLOOD
Sample log:

[41719.439607]  PING-PONG-FLOOD IN=enp0s31f6 OUT= MAC=48:2a:e3:5c:16:bc:f0:1f:af:1f:2c:60:08:00 SRC=192.168.2.17 DST=192.168.2.25 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=3761 PROTO=ICMP TYPE=8 CODE=0 ID=27413 SEQ=120 
[41719.450269]  PING-PONG-FLOOD IN=enp0s31f6 OUT= MAC=48:2a:e3:5c:16:bc:f0:1f:af:1f:2c:60:08:00 SRC=192.168.2.17 DST=192.168.2.25 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=3762 PROTO=ICMP TYPE=8 CODE=0 ID=27413 SEQ=121 
[41779.449955]  PING-PONG-FLOOD IN=enp0s31f6 OUT= MAC=48:2a:e3:5c:16:bc:f0:1f:af:1f:2c:60:08:00 SRC=192.168.2.17 DST=192.168.2.25 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=4494 PROTO=ICMP TYPE=8 CODE=0 ID=27413 SEQ=5793

Here is how counters look, run:
$ sudo iptables -L INPUT -n -v
Outputs:

Chain INPUT (policy ACCEPT 12973 packets, 1292K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  182 15288 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 30/min burst 120
    4   336 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1/min burst 2 LOG flags 0 level 4 prefix " PING-PONG-FLOOD "
11834  994K DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8

Getting help

Read the following man page using the man command or help command $ man iptables
$ iptables --help
$ iptables --help | more

Related
Also, check all our complete firewall tutorials for Alpine Linux Awall, CentOS 8, OpenSUSE, RHEL 8, Debian 12/11, Ubuntu Linux version 16.04 LTS/18.04 LTS/20.04 LTS, and 22.04 LTS.

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

25 comments… add one
  • Sun Oct 6, 2010 @ 16:43

    Actually worked right away didnt need to restart atall thanks

  • Snehal Oct 25, 2011 @ 13:38

    Thanks very much and appricate your knowledge sharing. This was helped me to block icmp traffic for my application testing.

  • help Feb 1, 2012 @ 18:18

    hi,
    i want to do ip spoofing for my excersize but i can’t !!!
    the question is :
    use iptables to modify your IP address to 10.2.3.4 when sending out icmp requests.

  • Cody Jul 26, 2014 @ 13:07

    Sigh. I _really_ wish administrators would STOP recommending (and actually following it) to block ICMP itself outright. Rate limit by all means, that’s good. Block fragmented packets (nowadays it is generally malicious). But blocking ICMP itself is a bad idea. And in IPv6 it is especially bad if you want a working connection, anyway (or I seem to remember.. it is vague at this time but there are certain differences for sure, in IPv6 that are absolutely necessary to be aware of if you don’t want to run in to problems). What ICMP stands for gives the reason (or should): internet control message protocol. It is for error reporting. You should block certain ICMP types, sure, but ping is a bad example of what to block (unless we’re talking spoofed packets or to broadcast (which by the way, 255.255.255.255 – that is, someone sending to such – will not send to every IP that exists… as an aside) or … but that’s different). Not heeding this advice only leads to network troubleshooting issues. And I’ll point something else out: blocking ping does nothing for security. Notthing (again, rate limiting is fine). Not a damned thing. It is a false sense of security. There’s other ways to find out if your system is there and blocking ping is hardly going to stop a would be attacker.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.