June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
2.15. Preventing pings
Problem
You don’t want remote sites to receive responses if they ping you.
Solution
For
iptables
:
# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
For ipchains:
# ipchains -A input -p icmp --icmp-type echo-request -j DENY
Discussion
In this case, we use DROP and DENY instead of REJECT. If you’re trying to hide from pings, then replying with a rejection kind of defeats the purpose, eh?
Don’t make the mistake of dropping all ICMP messages, e.g.:
WRONG!! DON'T DO THIS!
# iptables -A INPUT -p icmp -j DROPbecause pings are only one type of ICMP message, and you might not want to block all types. That being said, you might want to block some others, like redirects and source quench. List the available ICMP messages with:
$ iptables -p icmp -h $ ipchains -h icmp
See Also
iptables(8), ipchains(8). The history of ping, by its author, is at http://ftp.arl.mil/~mike/ping.html.