BY ADMIN - APRIL, 9TH 2014

The ‘PING’, it’s a command-line tool to check a host is reachable or not. We can manage it by the help of ‘iptables’. The ‘ping’ is using ICMP to communicate. We can simply manage the ‘icmp : Internet Controlled Message Protocol’ from iptables.

Required iptables switches
The below pasted switches are required for creating a rule for managing icmp.

-A : Add a rule

-D : Delete rule from table

-p : To specify protocol (here 'icmp')

--icmp-type : For specifying type

-J : Jump to target

Normally using icmp types and its Codes Click here for ICMP Types and Codes

echo-request   :  8

echo-reply     :  0

Here I am explaining some examples.

How to block PING to your server with an error message ?
In this way you can partially block the PING with an error message ‘Destination Port Unreachable’. Add the following iptables rules to block the PING with an error message. (Use REJECT as Jump to target)

iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT

Example:

[root@support ~]# ping 109.200.11.67

PING 109.200.11.67 (109.200.11.67) 56(84) bytes of data.

From 109.200.11.67 icmp_seq=1 Destination Port Unreachable

From 109.200.11.67 icmp_seq=2 Destination Port Unreachable

From 109.200.11.67 icmp_seq=3 Destination Port Unreachable

To block without any messages use DROP as Jump to target.

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP

Allow Ping from Outside to Inside

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

How to block PING from your server to world ?
In this way you can block PING option from your server to outside. Add these rules to your iptables to do the same.
Block PING operation with message ‘Operation not permitted’

iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP

Example:

root@test [~]# ping google.com

PING google.com (173.194.34.136) 56(84) bytes of data.

ping: sendmsg: Operation not permitted

ping: sendmsg: Operation not permitted

ping: sendmsg: Operation not permitted

ping: sendmsg: Operation not permitted

To block with out any error messages.
For this, DROP the echo-reply to the INPUT chain of you iptables.

iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP

iptables -A INPUT -p icmp --icmp-type echo-reply -j DROP

Allow Ping from Inside to Outside

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

You can use the icmp code instead of icmp-type name for adding rule to iptables.
That’s it. Try this and let me know your feedback.

reference:http://crybit.com/iptables-rules-for-icmp/

How to allow/block PING on Linux server – IPTables rules for icmp---reference的更多相关文章

  1. 在Oracle Linux Server release 6.4下配置ocfs2文件系统

    ① 安装ocfs-tools-1.8 如果是使用RedHat Enterprise Linux 6.4,也可以安装ocfs-tools-1.8的,只是要插入Oracle Linux Server re ...

  2. Linux Server

    Linux Server CentOS 6.3下配置iSCSI网络存储 摘要: 一.简介iSCSI(internet SCSI)技术由IBM公司研究开发,是一个供硬件设备使用的.可以在IP协议的上层运 ...

  3. 在Azure上实现Linux Server故障转移

    要充分利用公有云的弹性扩展和高可用, 首先要在应用系统层面支持横向扩展(scale out),这个说起来很容易,或者说对新开发的应用系统而言已经成为标配.但是对已有的.老旧的应用系统来说,这就比较困难 ...

  4. HowTo: Linux Server Change OR Setup The Timezone

    Method 1 #tzselect # select timezone e.g. Asia/Shanghai#echo 'Asia/Shanghai' > /etc/timezone # se ...

  5. Zyxel Switch-How to block a fake DHCP server without enabling DHCP snooping?

    How to block a fake DHCP server without enabling DHCP snooping? Scenario How to block a fake DHCP se ...

  6. 分析windows宿主机Ping不通linux虚拟机的其中一种情况

    ping不通的情况是由于设置网络选项的时候,可以看到界面名称的选择如下(当前选择的是无线网卡驱动):

  7. ORACLE Install (10g r2) FOR Red Hat Enterprise Linux Server release 5.5 (64 bit) (转)

    OS Info----------# cat /etc/redhat-releaseRed Hat Enterprise Linux Server release 5.5 (Tikanga)# cat ...

  8. Red Hat Enterprise Linux Server(RHEL) yum安装软件时This system is not registered with RHN. RHN support will be disabled. 的解决方法(转)

    新安装了redhat6.5.安装后,登录系统,使用yum update 更新系统.提示: This system is not registered to Red Hat Subscription M ...

  9. Linux server关闭自己主动

    公司linux server发生错误.mysql server没有理由关闭,我找不到理由.Version: '5.6.13-enterprise-commercial-advanced' socket ...

随机推荐

  1. 【转】第一个Linux内核驱动程序

    原文网址:http://blog.csdn.net/nexttake/article/details/8181008 刚看 O’REILLY 写的<LINUX 设备驱动程序>时.作者一再强 ...

  2. JSON--List集合转换成JSON对象

    转自:http://www.cnblogs.com/xmaomao/p/3184542.html 1. 简单的手动放置 键值对 到JSONObject,然后在put到JSONArray对象里 List ...

  3. alibaba笔试3

    16.C 17.这道的取值范围应该是1到1023.这样就选择A 18.B 圆桌问题1个人拿出来当key 19.D 类似于https://apollozhao.wordpress.com/categor ...

  4. svn版本控制-windows篇

    一.准备工作 1.获取 Subversion 服务器程序(服务端) 到官方网站(http://subversion.tigris.org/)下载最新的服务器安装程序.目前最新的是1.5版本,具体下载地 ...

  5. MSP430F149流水灯闪烁以及数码管的显示

    今天下午写了一个流水灯闪烁的实验,总的来说,不难,因为这块板子集合的电路图没有上一块那么复杂,所以总的来说,还是比较顺手,开始的时候,出现流水灯没有流转的现象,原来是没有加入延时函数,后来经过调整,结 ...

  6. Java HashMap存储问题

    public static boolean isIsomorphic(String s, String t) { Map map1 = new HashMap<>(); Map map2 ...

  7. USB HID报告及报告描述符简介

    在USB中,USB HOST是通过各种描述符来识别设备的,有设备描述符,配置描述符,接口描述符,端点描述符,字符串描述符,报告描述符等等.USB报告描述符(Report Descriptor)是HID ...

  8. 关于java对象的思考

    不可变对象和类 由不可变类创建的对象就是不可变对象,要使一个类成为不可变的,它必须满足下面的需求: 所有数据域都是私有的 没有修改器方法 没有一个访问器的方法,它会返回一个指向可变数据域的引用 看下面 ...

  9. java中String类小结

    构建一个字符串 1.用字符串直接量: String message = new String("Welcome to java"); 2.用字符串直接量: String messa ...

  10. HDU-4647 Another Graph Game 贪心,博弈

    题目链接:http://acm.hdu.edu.cn/showproblem.php?pid=4647 注意这题两人的决策是想要使得自己的分数与对方的差值最大.. 注意到数据范围,显然是贪心之类的,如 ...