PING – ping is a computer network administration software utility used to test the reachability of a host on an Internet Protocol network. It is available for virtually all operating systems that have networking capability, including most embedded network administration software.
Blocking PING on the server is helpful sometimes, if the server continues to face any type of DDoS attack by using the PING feature. By using iptables we can simply stop the PING option to and from your server. Before starting this, you must have an idea about What is iptables in Linux?
We can call it the basics of a Firewall in Linux. Iptables is a rule-based firewall system and is usually pre-installed on a Unix operating system which is controlling the incoming and outgoing packets. By default the iptables is running without any rules, we can create, add and edit rules to it. In this article, I am going to explain how we can allow/block PING in and out to a server.
We can manage it with the help of iptables. The ping is using ICMP to communicate. We can simply manage the icmp : Internet Controlled Message Protocol from iptables.
Okay, let’s start to Allow/deny ping on Linux server rules.
Required iptables command switches
The below-pasted switches are required for creating a rule for managing ICMP.
-A : Add a rule -D : Delete rule from table -p : To specify protocol (here 'icmp') --icmp-type : For specifying type -J : Jump to target
Normally using ICMP types and their Codes. Click here for ICMP Types and Codes
echo-request : 8 echo-reply : 0
How to block PING to your server with an error message?
In this way, you can partially block the PING with an error message ‘Destination Port Unreachable’. Add the following iptables rules to block the PING with an error message. (Use REJECT as Jump to target)
IPv4- iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT IPv6- ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j REJECT
Example:
[aloky@dhbu-pc0012 ~]$ ping 192.168.1.100 PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data. From 192.168.1.100 icmp_seq=1 Destination Port Unreachable From 192.168.1.100 icmp_seq=2 Destination Port Unreachable From 192.168.1.100 icmp_seq=3 Destination Port Unreachable
To block without any messages use DROP as Jump to target.
IPv4- iptables -A INPUT -p icmp --icmp-type echo-request -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP IPv6- ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP ip6tables -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j DROP
Allow Ping from Outside to Inside
IPv4- iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT IPv6- ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT ip6tables -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
How to block PING from your server?
In this way, you can block the PING option from your server to outside. Add these rules to your iptables to do the same. Block PING operation with the message Operation not permitted
IPv4- iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP Ipv6- ip6tables -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j DROP
Example:
[root@alokyadav ~]$ ping google.com PING google.com (173.194.34.136) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted
To block without any error messages
For this, DROP the echo-reply to the INPUT chain of your iptables.
IPv4- iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP iptables -A INPUT -p icmp --icmp-type echo-reply -j DROP IPv6- ip6tables -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j DROP ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-reply -j DROP
Allow Ping from Inside to Outside
Ipv4- iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT IPv6- ip6tables -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
You can use the ICMP code instead of icmp-type name for adding rules to iptables.