LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-31-2007, 10:59 PM   #1
Thaidog
Member
 
Registered: Sep 2002
Location: Hilton Head, SC
Distribution: Gentoo
Posts: 616

Rep: Reputation: 32
Question IPTABLES question - how do you reject icmp?


I would like to add to my iptables rules to reject any incoming ping requests.

What do I add to my rules to incorporate that?
 
Old 11-01-2007, 01:04 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Considering a "ping" is an echo request ICMP message, it would go like:
Code:
iptables -I INPUT -p ICMP --icmp-type 8 -j REJECT
 
Old 11-01-2007, 01:24 AM   #3
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hi,

although you can reject ping - but its better to just DROP them - since rejecting ping will make your system busy. OTH - deactivating icmp in the system can make us difficult to diagnose network connectivity.

iptables -A INPUT -p icmp --icmp-type 8 -j DROP.

HTH.

Last edited by rossonieri#1; 11-01-2007 at 01:26 AM.
 
Old 11-01-2007, 01:45 AM   #4
Thaidog
Member
 
Registered: Sep 2002
Location: Hilton Head, SC
Distribution: Gentoo
Posts: 616

Original Poster
Rep: Reputation: 32
Quote:
Originally Posted by rossonieri#1 View Post
hi,

although you can reject ping - but its better to just DROP them - since rejecting ping will make your system busy. OTH - deactivating icmp in the system can make us difficult to diagnose network connectivity.

iptables -A INPUT -p icmp --icmp-type 8 -j DROP.

HTH.
Well I added and saved the rule but I'm still pingable for some reason. Tell me if anything looks wrong here:

tylerm@gentoo_sulaco ~ $ cat /etc/iptables.bak
# Generated by iptables-save v1.2.11 on Tue May 10 08:06:58 2005
*filter
:INPUT ACCEPT [5:952]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1192099:595387635]

# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT

# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# ssh
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

# reject everything else
-A INPUT -j REJECT --reject-with icmp-port-unreachable

# drop ping requests
iptables -A INPUT -p icmp --icmp-type 8 -j DROP.

COMMIT
# Completed on Tue May 10 08:06:58 2005
 
Old 11-01-2007, 02:02 AM   #5
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hi,

from which machine did you ping?
from your script you allow all from localhost - that could be the problem.

just for addition in creating rule : better to include which interface a rule should apply.

i.e assuming you pc01 with only 1 nic eth0 - dont want your friend pc02 ping you :

iptables -I INPUT -i eth0 -s <pc02> -p icmp --icmp-type 8 -j DROP.

HTH.
 
Old 11-01-2007, 02:41 AM   #6
Thaidog
Member
 
Registered: Sep 2002
Location: Hilton Head, SC
Distribution: Gentoo
Posts: 616

Original Poster
Rep: Reputation: 32
Quote:
Originally Posted by rossonieri#1 View Post
hi,

from which machine did you ping?
from your script you allow all from localhost - that could be the problem.

just for addition in creating rule : better to include which interface a rule should apply.

i.e assuming you pc01 with only 1 nic eth0 - dont want your friend pc02 ping you :

iptables -I INPUT -i eth0 -s <pc02> -p icmp --icmp-type 8 -j DROP.

HTH.

I pinged from my Mac OS X box that is on the same network. I'm really hoping to discourage pinging from that network on out... The node has wireless access also that sometimes friends attach to.

So the Mac is 192.168.0.100, the Linux in question is .103 so I'm guessing you would be suggesting:


iptables -I INPUT -i eth0 -s 192.168.0.100 -p icmp --icmp-type 8 -j DROP

That is not working either though... also, is there supposed to be a . at the end of:

iptables -I INPUT -i eth0 -s 192.168.0.100 -p icmp --icmp-type 8 -j DROP.

???

Last edited by Thaidog; 11-01-2007 at 02:48 AM.
 
Old 11-01-2007, 06:49 AM   #7
miedward
Member
 
Registered: Feb 2007
Distribution: RHEL 4, SOLARIS 10
Posts: 91

Rep: Reputation: 15
Oh, you are using the iptables-save format so you don't need the "iptables" command.

Replace the line

iptables -A INPUT -p icmp --icmp-type 8 -j DROP.

With

-A INPUT -p icmp --icmp-type 8 -j DROP

I am guessing that iptables-restore threw an error and did not update the ruleset (the error message it gives is fairly ... quiet).
 
Old 11-01-2007, 10:47 AM   #8
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
Quote:
That is not working either though... also, is there supposed to be a . at the end of:

iptables -I INPUT -i eth0 -s 192.168.0.100 -p icmp --icmp-type 8 -j DROP.
no there is no need to put the ".", my mistake there - sorry.

BTW - what distro?
if you cant DROP it, then there must be wrong interface or something wrong with the iptables module :
lets do an ifconfig -a and change it accordingly.

or perhaps you create an iptables script that did not get executed when booting.

HTH.
 
Old 11-01-2007, 11:35 AM   #9
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
# reject everything else
-A INPUT -j REJECT --reject-with icmp-port-unreachable

# drop ping requests
iptables -A INPUT -p icmp --icmp-type 8 -j DROP.
As has been said, if this is an iptables configuration file which you are dealing with, you don't need to specify the iptables command, nor use a period at the end. That said, the ping wouldn't even reach your "drop ping requests" rule here because it would get sent to REJECT by the rule above it. Are you sure the pings are still working? The client doing the pinging should actually be getting "Destination Port Unreachable" messages with this config. In any case, executing this command ON THE COMMAND LINE will send to DROP any echo requests:
Code:
iptables -I INPUT -p ICMP --icmp-type 8 -j DROP
Forget about the interface for now, there's no need to specify it unless you have some interface(s) which you actually do want to allow pinging on. Remember to do this on the command line (and not in your config) so that you can see the effects right away.

Quote:
Well I added and saved the rule but
Saving won't activate your config. To activate a config you need to use iptables-restore, not iptables-save. But you should IMHO refrain from using either of those until you've got everything set up on the command line.
 
Old 11-01-2007, 05:50 PM   #10
Thaidog
Member
 
Registered: Sep 2002
Location: Hilton Head, SC
Distribution: Gentoo
Posts: 616

Original Poster
Rep: Reputation: 32
I found out what is wrong... turns out kernel 2.6.22 has some extra configurations needed for iptables to work correctly... I did not have them set. I'm going to rebuild the kernel and see if that helps.
 
Old 11-01-2007, 08:57 PM   #11
Thaidog
Member
 
Registered: Sep 2002
Location: Hilton Head, SC
Distribution: Gentoo
Posts: 616

Original Poster
Rep: Reputation: 32
OK... everything is now working with xtables support built in to the kernel. thanks for the help!
 
Old 12-06-2007, 02:30 AM   #12
bharat.bvrit
LQ Newbie
 
Registered: Dec 2007
Posts: 4

Rep: Reputation: 0
Needed help urgently

hi,
I am trying to develop a content filter.For sniffing the packets i'm using the libipq library.Here while blocking filetypes(suppose image file) i'm using "NF_DROP"...which is causing a problem since once the packet is dropped,the status is in dropped state only.....so i thought of rejecting packets instead of dropping.But i couldn't understand how to reject the packets.Please help me.

Thanx in advance............
 
Old 12-06-2007, 11:16 AM   #13
Madone_SL_5.5
Member
 
Registered: Oct 2006
Location: Ogden, Utah
Distribution: Fedora 10
Posts: 66

Rep: Reputation: 15
Posting a new question at the end of someone else's thread won't get you much help at all. Try posting a new thread, and be sure to use a more descriptive title than "Needed help urgently." That's frowned upon here.
 
  


Reply

Tags
icmp, iptables, ping


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables & netfiler: Limit icmp Packets Per IP Address wwnexc Linux - Networking 7 08-01-2006 03:25 PM
iptables DROP icmp applied, still being pinged linuxistan Linux - Networking 3 10-18-2004 10:26 PM
Multi ip adress to reject with iptables exalik Linux - General 1 10-01-2003 07:04 PM
iptables icmp limits dunkyb Linux - Security 0 05-08-2003 05:10 PM
Can iptables be configured to reject web requests based on content? steppin_razor Linux - Security 10 11-29-2001 12:49 PM


All times are GMT -5. The time now is 02:51 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration