Home / ubuntu / Questions / 17548
Accepted
david25
Asked: 2010-12-16 01:50:13 +0800 CST

How can I block ping requests with IPTables?

  • 772

and stealth specific ports?

10.10 security iptables firewall

4 Answers

  1. Best Answer

    To deny responses to ping requests..Add the following iptable rule

    iptables -A OUTPUT -p icmp -o eth0 -j ACCEPT          
iptables -A INPUT -p icmp --icmp-type echo-reply -s 0/0 -i eth0 -j ACCEPT     
iptables -A INPUT -p icmp --icmp-type destination-unreachable -s 0/0 -i eth0 -j ACCEPT  
iptables -A INPUT -p icmp --icmp-type time-exceeded -s 0/0 -i eth0 -j ACCEPT       
iptables -A INPUT -p icmp -i eth0 -j DROP
    • 11

  2. I believe iptables -I INPUT -p icmp --icmp-type 8 -j DROP should do the trick.

    For IPv6 you would need something like ip6tables -I INPUT -p icmpv6 --icmp-type 8 -j DROP.

    • 8

  3. Simplest method of disabling ping response is to add an entry in /etc/sysctl.conf file. If the Iptables flushes or stop server will start responding to ping responses again. I suggest the following entry in your /etc/sysctl.conf file

    net.ipv4.icmp_echo_ignore_all = 1

    this will tell kernel to not respond any ping response, after this run sysctl -p on shell to implement the changes without reboot.

    For more info please refer: http://www.trickylinux.net/disable-ping-response-linux/

    • 3

  4. Drop ICMP echo requests ("Ping"):

    iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

    What do you mean by stealth? You could just DROP all incoming packets. Google provided this:

    iptables -A INPUT -p tcp -m stealth -j REJECT

    But on (my) Ubuntu box, iptables does not know of a "stealth" match. As it seems, you can do lots of interesting stuff with xtables:

    aptitude show xtables-addons-common
    • 0