2.15. Preventing pings
Problem
You don’t want remote sites to receive responses if they ping you.
Solution
For
iptables
:
# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
For ipchains
:
# ipchains -A input -p icmp --icmp-type echo-request -j DENY
Discussion
In this case, we use DROP and DENY instead of REJECT. If you’re trying to hide from pings, then replying with a rejection kind of defeats the purpose, eh?
Don’t make the mistake of dropping all ICMP messages, e.g.:
WRONG!! DON'T DO THIS!
# iptables -A INPUT -p icmp -j DROP
because pings are only one type of ICMP message, and you might not want to block all types. That being said, you might want to block some others, like redirects and source quench. List the available ICMP messages with:
$ iptables -p icmp -h $ ipchains -h icmp
See Also
iptables(8), ipchains(8). The history of ping, by its author, is at http://ftp.arl.mil/~mike/ping.html.
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.