Denying Pings

oostevo · 08-10-2002, 04:05 PM

Hi there.
I just installed Linux on my laptop, and I am quite satisfied with how secure I managed to get it, except for one thing:
The laptop can still accept pings. I would really like to be able to keep someone from pinging the computer.
Does anyone have any idea how to do this?

Thanks in advance,
oostevo

unSpawn · 08-10-2002, 04:18 PM

I'm in recycle mode, so check our forum:
here,
here,
and here. If it's iptables you want check out the guruz site mentioned in one of the posts. Even if the syntax differs, the basics remain the same tho.

neo77777 · 08-10-2002, 04:21 PM

This command will block all echo-requests
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

ICMP Broadcasting protection
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

ICMP Dead Error Messages protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

Hope this helps

JamesF1 · 08-10-2002, 04:24 PM

Set up iptables (or whatever firewall) to deny icmp packets. from the outside.
eg. iptables -A INPUT -p icmp DROP .....(or reject)

Mind you pings aren't such a big deal most of the time unless you're going to receive a lot this type of traffic.

oostevo · 08-10-2002, 07:50 PM

Well, I realise that in most cases it is unnecessary to deny ICMP echos, but I am going to be wargaming with my friends using the laptop, and I don't want them to do something stupid like ping flood me.

Thanks for the information - it worked great(ly).

neo77777 · 08-10-2002, 08:28 PM

This will log ICMP flooding

$IPTABLES -A INPUT -i $EXT_IF -p icmp --icmp-type echo-request -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "ICMP flood: "

loging SYN flooding

$IPTABLES -A INPUT -i $EXT_IF -p tcp --syn -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "SYN flood (Nmap SYN Scan?): "

where $LOGLEVEL=info
$IPTABLES=/sbin/iptables (in my case)
$EXT_IF=external_intrface (in my case ppp0)

For the above to work you need CONFIG_IP_NF_MATCH_LIMIT compiled as module in your kernel

tied2 · 08-13-2002, 09:50 PM

Make life easy, just use Firestarter and under advanced setup theres a option for icmp pings plus you can still ping out.

__________________________________
don't make me go back