LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   IPTABLES question - how do you reject icmp? (https://www.linuxquestions.org/questions/linux-networking-3/iptables-question-how-do-you-reject-icmp-596207/)

Thaidog 10-31-2007 10:59 PM

IPTABLES question - how do you reject icmp?
 
I would like to add to my iptables rules to reject any incoming ping requests.

What do I add to my rules to incorporate that?

win32sux 11-01-2007 01:04 AM

Considering a "ping" is an echo request ICMP message, it would go like:
Code:

iptables -I INPUT -p ICMP --icmp-type 8 -j REJECT

rossonieri#1 11-01-2007 01:24 AM

hi,

although you can reject ping - but its better to just DROP them - since rejecting ping will make your system busy. OTH - deactivating icmp in the system can make us difficult to diagnose network connectivity.

iptables -A INPUT -p icmp --icmp-type 8 -j DROP.

HTH.

Thaidog 11-01-2007 01:45 AM

Quote:

Originally Posted by rossonieri#1 (Post 2944125)
hi,

although you can reject ping - but its better to just DROP them - since rejecting ping will make your system busy. OTH - deactivating icmp in the system can make us difficult to diagnose network connectivity.

iptables -A INPUT -p icmp --icmp-type 8 -j DROP.

HTH.

Well I added and saved the rule but I'm still pingable for some reason. Tell me if anything looks wrong here:

tylerm@gentoo_sulaco ~ $ cat /etc/iptables.bak
# Generated by iptables-save v1.2.11 on Tue May 10 08:06:58 2005
*filter
:INPUT ACCEPT [5:952]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1192099:595387635]

# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT

# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# ssh
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

# reject everything else
-A INPUT -j REJECT --reject-with icmp-port-unreachable

# drop ping requests
iptables -A INPUT -p icmp --icmp-type 8 -j DROP.

COMMIT
# Completed on Tue May 10 08:06:58 2005

rossonieri#1 11-01-2007 02:02 AM

hi,

from which machine did you ping?
from your script you allow all from localhost - that could be the problem.

just for addition in creating rule : better to include which interface a rule should apply.

i.e assuming you pc01 with only 1 nic eth0 - dont want your friend pc02 ping you :

iptables -I INPUT -i eth0 -s <pc02> -p icmp --icmp-type 8 -j DROP.

HTH.

Thaidog 11-01-2007 02:41 AM

Quote:

Originally Posted by rossonieri#1 (Post 2944150)
hi,

from which machine did you ping?
from your script you allow all from localhost - that could be the problem.

just for addition in creating rule : better to include which interface a rule should apply.

i.e assuming you pc01 with only 1 nic eth0 - dont want your friend pc02 ping you :

iptables -I INPUT -i eth0 -s <pc02> -p icmp --icmp-type 8 -j DROP.

HTH.


I pinged from my Mac OS X box that is on the same network. I'm really hoping to discourage pinging from that network on out... The node has wireless access also that sometimes friends attach to.

So the Mac is 192.168.0.100, the Linux in question is .103 so I'm guessing you would be suggesting:


iptables -I INPUT -i eth0 -s 192.168.0.100 -p icmp --icmp-type 8 -j DROP

That is not working either though... also, is there supposed to be a . at the end of:

iptables -I INPUT -i eth0 -s 192.168.0.100 -p icmp --icmp-type 8 -j DROP.

???

miedward 11-01-2007 06:49 AM

Oh, you are using the iptables-save format so you don't need the "iptables" command.

Replace the line

iptables -A INPUT -p icmp --icmp-type 8 -j DROP.

With

-A INPUT -p icmp --icmp-type 8 -j DROP

I am guessing that iptables-restore threw an error and did not update the ruleset (the error message it gives is fairly ... quiet).

rossonieri#1 11-01-2007 10:47 AM

Quote:

That is not working either though... also, is there supposed to be a . at the end of:

iptables -I INPUT -i eth0 -s 192.168.0.100 -p icmp --icmp-type 8 -j DROP.
no there is no need to put the ".", my mistake there - sorry.

BTW - what distro?
if you cant DROP it, then there must be wrong interface or something wrong with the iptables module :
lets do an ifconfig -a and change it accordingly.

or perhaps you create an iptables script that did not get executed when booting.

HTH.

win32sux 11-01-2007 11:35 AM

Quote:

# reject everything else
-A INPUT -j REJECT --reject-with icmp-port-unreachable

# drop ping requests
iptables -A INPUT -p icmp --icmp-type 8 -j DROP.
As has been said, if this is an iptables configuration file which you are dealing with, you don't need to specify the iptables command, nor use a period at the end. That said, the ping wouldn't even reach your "drop ping requests" rule here because it would get sent to REJECT by the rule above it. Are you sure the pings are still working? The client doing the pinging should actually be getting "Destination Port Unreachable" messages with this config. In any case, executing this command ON THE COMMAND LINE will send to DROP any echo requests:
Code:

iptables -I INPUT -p ICMP --icmp-type 8 -j DROP
Forget about the interface for now, there's no need to specify it unless you have some interface(s) which you actually do want to allow pinging on. Remember to do this on the command line (and not in your config) so that you can see the effects right away.

Quote:

Well I added and saved the rule but
Saving won't activate your config. To activate a config you need to use iptables-restore, not iptables-save. But you should IMHO refrain from using either of those until you've got everything set up on the command line.

Thaidog 11-01-2007 05:50 PM

I found out what is wrong... turns out kernel 2.6.22 has some extra configurations needed for iptables to work correctly... I did not have them set. I'm going to rebuild the kernel and see if that helps.

Thaidog 11-01-2007 08:57 PM

OK... everything is now working with xtables support built in to the kernel. thanks for the help!

bharat.bvrit 12-06-2007 02:30 AM

Needed help urgently
 
hi,
I am trying to develop a content filter.For sniffing the packets i'm using the libipq library.Here while blocking filetypes(suppose image file) i'm using "NF_DROP"...which is causing a problem since once the packet is dropped,the status is in dropped state only.....so i thought of rejecting packets instead of dropping.But i couldn't understand how to reject the packets.Please help me.

Thanx in advance............

Madone_SL_5.5 12-06-2007 11:16 AM

Posting a new question at the end of someone else's thread won't get you much help at all. Try posting a new thread, and be sure to use a more descriptive title than "Needed help urgently." That's frowned upon here.


All times are GMT -5. The time now is 03:24 PM.