ping returns weird ip
 

When I ping my server I get reponse timed out even though my proxy seems to be working.
When I ping it with a port number eg ping xxx.xxx.xxx.xxx:8080 it returns this: reply from 67.215.65.132

, which is not my IP.
ANy ideas?

Ping does not honour port numbers the way you think it should. Besides in some situations ICMP might be shielded so if you want to hit something with a destination port over TCP try hping, tcptraceroute, lft, that kind of tools. 67.215.65.132 resolves to "hit-nxdomain.opendns.com" and is the OpenDNS way to tell you that it can't resolve the IP address you try to hit. If you find this way of breaking the DNS protocol is unacceptable then I would agree. It's one of the reasons I don't use or promote OpenDNS.

Ok.
Now...should my ICMP port be open?

[routable IP addresses]
If the machine you want to ping uses an IP address from one of the bogon ranges then traffic to and from that IP address is meant to be for local purposes [skip discussing NAT]. IANA designated LAN ranges (see http://www.cymru.com/Documents/bogon-bn-nonagg.txt) for that. IP addresses in those ranges are called "unroutable" because no routing-capable source on the Internet will or can route traffic for those [skip discussing DNS 127.0.0.0/8 hostname entries].

[resolving unroutables]
If you want to ping a machine by name the OS needs to resolve that hostname to an IP address. If the application has no built-in resolver then it will query configured DNS servers according to "hosts" configuration in /etc/nsswitch.conf. Usually this means trying DNS first, then fall back to the local "database" (/etc/hosts). Because "unroutables" can't be resolved externally you require either your local DNS (Pdns, dnsmasq) or /etc/hosts to serve up the name-to-IP mapping or use the IP address instead of the hostname.

[ping vs tcptraceroute]
In the days when 200 ton dinosaurs admins roamed the Earth, a few cavemen from the DARPA tribe devised a way of connecting tin cans with string and talk to each other. Where tin cans are miles apart this lead to using the IP suite of protocols. ICMP is part of the IP family and used for error correction. Ping uses the ICMP protocol to see if a tin can can be talked to (notice the "ping"-like sound a tin can makes when you tap it with a metal object). Ping sends one or more ICMP packets of Type 8 (echo request) to the host and listens for the response [skip discussing firewalking]. If the response is ICMP packets of Type 0 (echo response) then that marks the host as reachable. Unfortunately ping was abused by some (notice the "smurf"-like sound a tin can makes once when you hit it hard with a mallet) and was treated as the black sheep of the family ever since the Dark Ages. In the Age of Enlightenment the hippies Mel and Steve from the "Gibson Research Corporation" band advocated muffling your tin can with gobs of virtual PUR. Like all dealers they obviously used too much of their own product but ever since the leet technique was to be known as "stealth". Religious followers of this "stealth" claim it can cure all sorts of ailment and hope it one day will bring World Peace. (As with all misguided souls these zealots forget that ICMP was supposed to be let through and therefore suffer from missing out on the benefits of the error correction the rest of the 'net enjoys.)

Because ping (and traceroute) only tell you if a machine is reachable and nothing else, Cyberdyne Systems will invent Some Other Spaced Out Tools like tcptraceroute, LFT, Pakketto Keiretsu around 2018 AD local that can help them decide if a port is reachable over TCP (why? Just because they can). Because most people don't really hate Hollywood (or the endless stream of failing remakes and lame sequels it stands for) these tools were imported in this parallel universe by Neo a few years ago (all hail Neo) so unless you're more into downing particularly bad batches of pills you too are expected to use tcptraceroute instead of ping.

I believe that it is a simple case of mac address conflict. there is a server which has same mac address as your ping server. check your network configuration and logs.

Is there any danger in leaving an icmp port open or can it not be hacked through?

Depending on your situation and network use some can be left open and others shouldn't be. A start could be to block ICMP fragments, allow (and rate-limit) Type 8 Code 0 (Ping), Type 0 Code 0 (Pong), Type 3 Code 4 (Path MTU), Type 11 Code 0 (traceroute) and log (analysis) and block all other ICMP Types (common ones roughly are below 40).

Do I just at a type to this?
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

is it:
-A INPUT --type 8 -p icmp --icmp-type echo-request -j ACCEPT

'/sbin/iptables -p icmp --help' reads: "ICMP v1.3.5 options: --icmp-type [!] typename match icmp type (or numeric type or type/code)", so it'll either be "-A INPUT -p icmp --icmp-type echo-request -j ACCEPT" or "-A INPUT -p icmp --icmp-type 8/0 -j ACCEPT". Don't forget to precede it with a line excluding your management IP (range) from filtering, rate-limit what you allow and deny, add a "-A INPUT -p icmp --fragment -j DROP" and if you did not explicitly deny other types then end with a "-A INPUT -p icmp -icmp-type any -j REJECT". While using "-j REJECT" will signal remote hosts that filtering is used it beats having to deal with seemingly unrelated problems arising from just blackholing responses.