2.15. Preventing pings

Problem

You don’t want remote sites to receive responses if they ping you.

Solution

For iptables :

# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

For ipchains:

# ipchains -A input -p icmp --icmp-type echo-request -j DENY

Discussion

In this case, we use DROP and DENY instead of REJECT. If you’re trying to hide from pings, then replying with a rejection kind of defeats the purpose, eh?

Don’t make the mistake of dropping all ICMP messages, e.g.:

               WRONG!! DON'T DO THIS!
# iptables -A INPUT -p icmp -j DROP

because pings are only one type of ICMP message, and you might not want to block all types. That being said, you might want to block some others, like redirects and source quench. List the available ICMP messages with:

$ iptables -p icmp -h
$ ipchains -h icmp

See Also

iptables(8), ipchains(8). The history of ping, by its author, is at http://ftp.arl.mil/~mike/ping.html.

Get Linux Security Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial