Testing Connectivity with fping and send mail if any hosts are unreachable

Posted on in Categories CentOS, Debian Linux, Gentoo Linux, Hardware, Howto, Linux, Networking, Shell scripting, Sys admin, Tips, Ubuntu Linux, UNIX last updated November 21, 2007

fping is one my favorite network profiling / scripting tool. It uses the Internet Control Message Protocol (ICMP) echo request to determine if a target host is responding or not.

Unlike ping , fping is meant to be used in scripts, so its output is designed to be easy to parse.

You can easily write perl / shell script to check a list of hosts and send mail if any are unreachable.

fping command example

Just type the following command to see if we can reach to router:
$ fping router
Output:

router is alive

You can read list of targets (hosts / servers) from a file. The -f option can only be used by the root user. Regular users should pipe in the file via
I/O redirectors (stdin). For example read all host names from ~/.ping.conf file
$ fping < ~/.ping.conf

You can also netmask to ping the entire network i.e generate a target list from a supplied IP netmask. For example, ping the class C 192.168.1.x:
$ fping -g 192.168.1.0/24
or
$ fping -g 192.168.1.0 192.168.1.255

Sample shell script to send email if host is down

#!/bin/bash
HOSTS="router sun printer laptop sony-laptop xbox backup-server"
DLIST=""
for h in $HOSTS
do
  fping -u $h >& /dev/null
  if [ $? -ne 0 ]; then
          echo ${h} host is down send email
          # mail -s "Host ${h} down" [email protected] </dev/null
  fi
done

Another good example is when you want to perform an action only on hosts that are currently reachable.

#!/usr/bin/perl
$myHosts = ‘cat /etc/hosts.backup | fping -a‘;
foreach $host (split(/\n/,$myHosts)) {
        # take action or call other function
}

Linux Iptables allow or block ICMP ping request

Posted on in Categories Debian Linux, Gentoo Linux, Iptables, RedHat/Fedora Linux, Security, Suse Linux, Ubuntu Linux last updated June 28, 2005

The Internet Control Message Protocol (ICMP) has many messages that are identified by a “type” field. You need to use 0 and 8 ICMP code types.

=> Zero (0) is for echo-reply

=> Eight (8) is for echo-request.

To enable ICMP ping incoming client request use following iptables rule (you need to add following rules to script).

My default firewall policy is blocking everything.

Task: Enable or allow ICMP ping incoming client request

Rule to enable ICMP ping incoming client request ( assuming that default iptables policy is to drop all INPUT and OUTPUT packets)

SERVER_IP="202.54.10.20"
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $SERVER_IP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type 0 -s $SERVER_IP -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Task: Allow or enable outgoing ping request

To enable ICMP ping outgoing request use following iptables rule:

SERVER_IP="202.54.10.20"
iptables -A OUTPUT -p icmp --icmp-type 8 -s $SERVER_IP -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d $SERVER_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

How do I disable outgoing ICMP request?

Use the following rules:

iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP

OR

iptables -A OUTPUT -p icmp --icmp-type 8 -j DROP

ICMP echo-request type will be block by above rule.

See ICMP TYPE NUMBERS (type fields). You can also get list of ICMP types, just type following command at shell prompt:
# /sbin/iptables -p icmp -h