IPTABLES question - how do you reject icmp?
I would like to add to my iptables rules to reject any incoming ping requests.
What do I add to my rules to incorporate that? |
Considering a "ping" is an echo request ICMP message, it would go like:
Code:
iptables -I INPUT -p ICMP --icmp-type 8 -j REJECT |
hi,
although you can reject ping - but its better to just DROP them - since rejecting ping will make your system busy. OTH - deactivating icmp in the system can make us difficult to diagnose network connectivity. iptables -A INPUT -p icmp --icmp-type 8 -j DROP. HTH. |
Quote:
tylerm@gentoo_sulaco ~ $ cat /etc/iptables.bak # Generated by iptables-save v1.2.11 on Tue May 10 08:06:58 2005 *filter :INPUT ACCEPT [5:952] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1192099:595387635] # accept all from localhost -A INPUT -s 127.0.0.1 -j ACCEPT # accept all previously established connections -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # ssh -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT # reject everything else -A INPUT -j REJECT --reject-with icmp-port-unreachable # drop ping requests iptables -A INPUT -p icmp --icmp-type 8 -j DROP. COMMIT # Completed on Tue May 10 08:06:58 2005 |
hi,
from which machine did you ping? from your script you allow all from localhost - that could be the problem. just for addition in creating rule : better to include which interface a rule should apply. i.e assuming you pc01 with only 1 nic eth0 - dont want your friend pc02 ping you : iptables -I INPUT -i eth0 -s <pc02> -p icmp --icmp-type 8 -j DROP. HTH. |
Quote:
I pinged from my Mac OS X box that is on the same network. I'm really hoping to discourage pinging from that network on out... The node has wireless access also that sometimes friends attach to. So the Mac is 192.168.0.100, the Linux in question is .103 so I'm guessing you would be suggesting: iptables -I INPUT -i eth0 -s 192.168.0.100 -p icmp --icmp-type 8 -j DROP That is not working either though... also, is there supposed to be a . at the end of: iptables -I INPUT -i eth0 -s 192.168.0.100 -p icmp --icmp-type 8 -j DROP. ??? |
Oh, you are using the iptables-save format so you don't need the "iptables" command.
Replace the line iptables -A INPUT -p icmp --icmp-type 8 -j DROP. With -A INPUT -p icmp --icmp-type 8 -j DROP I am guessing that iptables-restore threw an error and did not update the ruleset (the error message it gives is fairly ... quiet). |
Quote:
BTW - what distro? if you cant DROP it, then there must be wrong interface or something wrong with the iptables module : lets do an ifconfig -a and change it accordingly. or perhaps you create an iptables script that did not get executed when booting. HTH. |
Quote:
Code:
iptables -I INPUT -p ICMP --icmp-type 8 -j DROP Quote:
|
I found out what is wrong... turns out kernel 2.6.22 has some extra configurations needed for iptables to work correctly... I did not have them set. I'm going to rebuild the kernel and see if that helps.
|
OK... everything is now working with xtables support built in to the kernel. thanks for the help!
|
Needed help urgently
hi,
I am trying to develop a content filter.For sniffing the packets i'm using the libipq library.Here while blocking filetypes(suppose image file) i'm using "NF_DROP"...which is causing a problem since once the packet is dropped,the status is in dropped state only.....so i thought of rejecting packets instead of dropping.But i couldn't understand how to reject the packets.Please help me. Thanx in advance............ |
Posting a new question at the end of someone else's thread won't get you much help at all. Try posting a new thread, and be sure to use a more descriptive title than "Needed help urgently." That's frowned upon here.
|
All times are GMT -5. The time now is 06:46 PM. |