IPTABLES question - how do you reject icmp?
 

I would like to add to my iptables rules to reject any incoming ping requests.

What do I add to my rules to incorporate that?

Considering a "ping" is an echo request ICMP message, it would go like:

hi,

although you can reject ping - but its better to just DROP them - since rejecting ping will make your system busy. OTH - deactivating icmp in the system can make us difficult to diagnose network connectivity.

iptables -A INPUT -p icmp --icmp-type 8 -j DROP.

HTH.

Well I added and saved the rule but I'm still pingable for some reason. Tell me if anything looks wrong here:

tylerm@gentoo_sulaco ~ $ cat /etc/iptables.bak
# Generated by iptables-save v1.2.11 on Tue May 10 08:06:58 2005
*filter
:INPUT ACCEPT [5:952]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1192099:595387635]

# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT

# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# ssh
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

# reject everything else
-A INPUT -j REJECT --reject-with icmp-port-unreachable

# drop ping requests
iptables -A INPUT -p icmp --icmp-type 8 -j DROP.

COMMIT
# Completed on Tue May 10 08:06:58 2005

hi,

from which machine did you ping?
from your script you allow all from localhost - that could be the problem.

just for addition in creating rule : better to include which interface a rule should apply.

i.e assuming you pc01 with only 1 nic eth0 - dont want your friend pc02 ping you :

iptables -I INPUT -i eth0 -s <pc02> -p icmp --icmp-type 8 -j DROP.

HTH.

I pinged from my Mac OS X box that is on the same network. I'm really hoping to discourage pinging from that network on out... The node has wireless access also that sometimes friends attach to.

So the Mac is 192.168.0.100, the Linux in question is .103 so I'm guessing you would be suggesting:


iptables -I INPUT -i eth0 -s 192.168.0.100 -p icmp --icmp-type 8 -j DROP

That is not working either though... also, is there supposed to be a . at the end of:

iptables -I INPUT -i eth0 -s 192.168.0.100 -p icmp --icmp-type 8 -j DROP.

???

Oh, you are using the iptables-save format so you don't need the "iptables" command.

Replace the line

iptables -A INPUT -p icmp --icmp-type 8 -j DROP.

With

-A INPUT -p icmp --icmp-type 8 -j DROP

I am guessing that iptables-restore threw an error and did not update the ruleset (the error message it gives is fairly ... quiet).

no there is no need to put the ".", my mistake there - sorry.

BTW - what distro?
if you cant DROP it, then there must be wrong interface or something wrong with the iptables module :
lets do an ifconfig -a and change it accordingly.

or perhaps you create an iptables script that did not get executed when booting.

HTH.

As has been said, if this is an iptables configuration file which you are dealing with, you don't need to specify the iptables command, nor use a period at the end. That said, the ping wouldn't even reach your "drop ping requests" rule here because it would get sent to REJECT by the rule above it. Are you sure the pings are still working? The client doing the pinging should actually be getting "Destination Port Unreachable" messages with this config. In any case, executing this command ON THE COMMAND LINE will send to DROP any echo requests:Forget about the interface for now, there's no need to specify it unless you have some interface(s) which you actually do want to allow pinging on. Remember to do this on the command line (and not in your config) so that you can see the effects right away.

Saving won't activate your config. To activate a config you need to use iptables-restore, not iptables-save. But you should IMHO refrain from using either of those until you've got everything set up on the command line.

I found out what is wrong... turns out kernel 2.6.22 has some extra configurations needed for iptables to work correctly... I did not have them set. I'm going to rebuild the kernel and see if that helps.

OK... everything is now working with xtables support built in to the kernel. thanks for the help!

Needed help urgently
 

hi,
I am trying to develop a content filter.For sniffing the packets i'm using the libipq library.Here while blocking filetypes(suppose image file) i'm using "NF_DROP"...which is causing a problem since once the packet is dropped,the status is in dropped state only.....so i thought of rejecting packets instead of dropping.But i couldn't understand how to reject the packets.Please help me.

Thanx in advance............

Posting a new question at the end of someone else's thread won't get you much help at all. Try posting a new thread, and be sure to use a more descriptive title than "Needed help urgently." That's frowned upon here.