BY?ADMIN?-?APRIL, 9TH 2014

The ‘PING’, it’s a command-line tool to check a host is reachable or not. We can manage it by the help of ‘iptables’. The ‘ping’ is using ICMP to communicate. We can simply manage the ‘icmp : Internet Controlled Message Protocol’ from iptables.

Required iptables switches
The below pasted switches are required for creating a rule for managing icmp.

-A : Add a rule -D : Delete rule from table -p : To specify protocol (here 'icmp') --icmp-type : For specifying type -J : Jump to target

Normally using icmp types and its Codes Click here for ICMP Types and Codes

echo-request : 8 echo-reply : 0

Here I am explaining some examples.

How to block PING to your server with an error message ?
In this way you can partially block the PING with an error message ‘Destination Port Unreachable’. Add the following iptables rules to block the PING with an error message. (Use REJECT as Jump to target)

iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT

Example:

[root@support ~]# ping 109.200.11.67 PING 109.200.11.67 (109.200.11.67) 56(84) bytes of data. From 109.200.11.67 icmp_seq=1 Destination Port Unreachable From 109.200.11.67 icmp_seq=2 Destination Port Unreachable From 109.200.11.67 icmp_seq=3 Destination Port Unreachable

To block without any messages use DROP as Jump to target.

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP

Allow Ping from Outside to Inside

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

How to block PING from your server to world ?
In this way you can block PING option from your server to outside. Add these rules to your iptables to do the same.
Block PING operation with message ‘Operation not permitted’

iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP

Example:

root@test [~]# ping google.com PING google.com (173.194.34.136) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted

To block with out any error messages.
For this, DROP the echo-reply to the INPUT chain of you iptables.

iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP iptables -A INPUT -p icmp --icmp-type echo-reply -j DROP

Allow Ping from Inside to Outside

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

You can use the icmp code instead of icmp-type name for adding rule to iptables.
That’s it. Try this and let me know your feedback.

reference:http://crybit.com/iptables-rules-for-icmp/

轉載于:https://www.cnblogs.com/davidwang456/p/3657898.html

總結

以上是生活随笔為你收集整理的How to allow/block PING on Linux server – IPTables rules for icmp---reference的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。