Linux Iptables allow or block ICMP ping request

The Internet Control Message Protocol (ICMP) has many messages that are identified by a “type” field. You need to use 0 and 8 ICMP code types.

=> Zero (0) is for echo-reply

=> Eight (8) is for echo-request.

To enable ICMP ping incoming client request use following iptables rule (you need to add following rules to script).

My default firewall policy is blocking everything.

Task: Enable or allow ICMP ping incoming client request

Rule to enable ICMP ping incoming client request ( assuming that default iptables policy is to drop all INPUT and OUTPUT packets)

iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $SERVER_IP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type 0 -s $SERVER_IP -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Task: Allow or enable outgoing ping request

To enable ICMP ping outgoing request use following iptables rule:

iptables -A OUTPUT -p icmp --icmp-type 8 -s $SERVER_IP -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d $SERVER_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

How do I disable outgoing ICMP request?

Use the following rules:

iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP


iptables -A OUTPUT -p icmp --icmp-type 8 -j DROP

ICMP echo-request type will be block by above rule.

See ICMP TYPE NUMBERS (type fields). You can also get list of ICMP types, just type following command at shell prompt:
# /sbin/iptables -p icmp -h

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 25 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
25 comments… add one
  • Anonymous Aug 1, 2005 @ 4:19

    Thank you for the above post. I find what i was looking for about 15min googling.

  • polarizers 2cent Oct 5, 2005 @ 15:25

    This seems to be incomplete. An ICMP ping is an “icmp echo request” that is followed up by an “icmp echo reply”. So you need to specify the appropriate “–icmp-type” in your incoming and outgoing chains.

    Possible values for –icmp-type are listed by “iptables -p icmp -h”. There are a icmp packets you dont want to recieve or reply to.

    polarizers 2cent

  • LinuxTitli Oct 5, 2005 @ 23:29

    >This seems to be incomplete
    Noop, this is not incomplete.

    >Possible values for –icmp-type are listed by “iptables -p icmp -h”. There are a icmp packets you dont want to recieve or reply to.

    Yup, but you don’t have to use them. I just prefer to keep it simple aka KISS. My Default firewall policy is block everything, so this works w/o problem.

  • fsckyou Nov 17, 2005 @ 4:39

    I beg to differ. IT is incomplete. You block everything, then you open all ICMP traffic. How does this block other types of ICMP traffic?

  • Anonymous Jan 31, 2006 @ 19:45

    i need to disable ougoing ICMP from my server with iptables, how do I do that?

  • LinuxTitli Jan 31, 2006 @ 21:51

    I have updated post as per your request see above.

  • LinuxTitli Jan 31, 2006 @ 21:52

    fsckyou, you are right i have updated the entire rules, thanks 😀

  • OSCAR Jun 28, 2007 @ 16:58

    How block ping request with ENDIAN firewall?
    Best regards

  • China Landscape Oct 8, 2007 @ 4:48


    Thanks for your tip, it’s work perfectly.
    Just one question :
    Is the options –state NEW,ESTABLISHED,RELATED are mandatory ?

  • 🐧 nixCraft Oct 8, 2007 @ 5:02

    –state will improve security and it is one of the best features of Iptables. I recommend keeping it..

  • Hide IP Dec 2, 2007 @ 7:51

    Thanks for info! We’ll use this info in our script firewall.

  • ak Nov 3, 2008 @ 3:13

    iptables -A INPUT -p icmp –icmp-type 8 -s 0/0 -d $SERVER_IP -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

    Error: Bad argument `state’

  • Bill Dec 8, 2008 @ 18:48

    AK, you have a typo. Should be “–state”

  • 🐧 nixCraft Dec 8, 2008 @ 20:20


    You must replace $SERVER_IP with actual IP address or create a variable itself.

  • ashwani Apr 24, 2009 @ 20:27

    Nice…how about i can ping anyone but none cant ping me?…i mad lil rule

    iptables -A OUTPUT -p icmp –icmp-type echo-reply -s -d -j REJECT

    this for an single subnet 🙂

  • hamed Aug 7, 2009 @ 4:51

    thank u alot

  • myHPLinuxdummyServersux Oct 20, 2009 @ 21:08

    hi.. im from a networking background… couldnt play around that much at home coz of ChISCO too $$$$… i heard linux also can work as a router with their IPtables stuff… may i know:
    1. SERVER_IP=”″ is whos address? me as a server or the client’s IP?
    2. 0/0 ?
    3. NEW,ESTABLISHED,RELATED (try to understand this on9, maybe yall have a clearer explanation)
    4. -m?

  • Jorge Filippo Oct 29, 2009 @ 11:11

    How can I accept ICMP with a specific packetsize? I want to be able to ping my server from my windows notebook, but with -l 666 (for example), for monitoring purposes. But IPTABLES doesn’t seem to have an option to accept or denay a specific ping size. Is that correct?. Thanks in advance.

  • Bill May 21, 2010 @ 15:46

    This may be a dumb question, but I can’t find the answer anywhere else. After I make a rule change, do I have to reload iptables or stop/start to activate the change?

    • 🐧 nixCraft May 21, 2010 @ 16:12

      Yes, you need to restart firewall if you made changes to config file.

      Reload script if you made changes to a shell script that loads all other rules.

  • Michael Aug 7, 2010 @ 17:38

    Thanks a lot it worked perfectly for me.

  • Sun Oct 6, 2010 @ 16:43

    Actually worked right away didnt need to restart atall thanks

  • Snehal Oct 25, 2011 @ 13:38

    Thanks very much and appricate your knowledge sharing. This was helped me to block icmp traffic for my application testing.

  • help Feb 1, 2012 @ 18:18

    i want to do ip spoofing for my excersize but i can’t !!!
    the question is :
    use iptables to modify your IP address to when sending out icmp requests.

  • Cody Jul 26, 2014 @ 13:07

    Sigh. I _really_ wish administrators would STOP recommending (and actually following it) to block ICMP itself outright. Rate limit by all means, that’s good. Block fragmented packets (nowadays it is generally malicious). But blocking ICMP itself is a bad idea. And in IPv6 it is especially bad if you want a working connection, anyway (or I seem to remember.. it is vague at this time but there are certain differences for sure, in IPv6 that are absolutely necessary to be aware of if you don’t want to run in to problems). What ICMP stands for gives the reason (or should): internet control message protocol. It is for error reporting. You should block certain ICMP types, sure, but ping is a bad example of what to block (unless we’re talking spoofed packets or to broadcast (which by the way, – that is, someone sending to such – will not send to every IP that exists… as an aside) or … but that’s different). Not heeding this advice only leads to network troubleshooting issues. And I’ll point something else out: blocking ping does nothing for security. Notthing (again, rate limiting is fine). Not a damned thing. It is a false sense of security. There’s other ways to find out if your system is there and blocking ping is hardly going to stop a would be attacker.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum