Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
although you can reject ping - but its better to just DROP them - since rejecting ping will make your system busy. OTH - deactivating icmp in the system can make us difficult to diagnose network connectivity.
iptables -A INPUT -p icmp --icmp-type 8 -j DROP.
HTH.
Last edited by rossonieri#1; 11-01-2007 at 01:26 AM.
although you can reject ping - but its better to just DROP them - since rejecting ping will make your system busy. OTH - deactivating icmp in the system can make us difficult to diagnose network connectivity.
iptables -A INPUT -p icmp --icmp-type 8 -j DROP.
HTH.
Well I added and saved the rule but I'm still pingable for some reason. Tell me if anything looks wrong here:
tylerm@gentoo_sulaco ~ $ cat /etc/iptables.bak
# Generated by iptables-save v1.2.11 on Tue May 10 08:06:58 2005
*filter
:INPUT ACCEPT [5:952]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1192099:595387635]
# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT
# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# ssh
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# reject everything else
-A INPUT -j REJECT --reject-with icmp-port-unreachable
# drop ping requests
iptables -A INPUT -p icmp --icmp-type 8 -j DROP.
I pinged from my Mac OS X box that is on the same network. I'm really hoping to discourage pinging from that network on out... The node has wireless access also that sometimes friends attach to.
So the Mac is 192.168.0.100, the Linux in question is .103 so I'm guessing you would be suggesting:
no there is no need to put the ".", my mistake there - sorry.
BTW - what distro?
if you cant DROP it, then there must be wrong interface or something wrong with the iptables module :
lets do an ifconfig -a and change it accordingly.
or perhaps you create an iptables script that did not get executed when booting.
# reject everything else
-A INPUT -j REJECT --reject-with icmp-port-unreachable
# drop ping requests
iptables -A INPUT -p icmp --icmp-type 8 -j DROP.
As has been said, if this is an iptables configuration file which you are dealing with, you don't need to specify the iptables command, nor use a period at the end. That said, the ping wouldn't even reach your "drop ping requests" rule here because it would get sent to REJECT by the rule above it. Are you sure the pings are still working? The client doing the pinging should actually be getting "Destination Port Unreachable" messages with this config. In any case, executing this command ON THE COMMAND LINE will send to DROP any echo requests:
Code:
iptables -I INPUT -p ICMP --icmp-type 8 -j DROP
Forget about the interface for now, there's no need to specify it unless you have some interface(s) which you actually do want to allow pinging on. Remember to do this on the command line (and not in your config) so that you can see the effects right away.
Quote:
Well I added and saved the rule but
Saving won't activate your config. To activate a config you need to use iptables-restore, not iptables-save. But you should IMHO refrain from using either of those until you've got everything set up on the command line.
I found out what is wrong... turns out kernel 2.6.22 has some extra configurations needed for iptables to work correctly... I did not have them set. I'm going to rebuild the kernel and see if that helps.
hi,
I am trying to develop a content filter.For sniffing the packets i'm using the libipq library.Here while blocking filetypes(suppose image file) i'm using "NF_DROP"...which is causing a problem since once the packet is dropped,the status is in dropped state only.....so i thought of rejecting packets instead of dropping.But i couldn't understand how to reject the packets.Please help me.
Posting a new question at the end of someone else's thread won't get you much help at all. Try posting a new thread, and be sure to use a more descriptive title than "Needed help urgently." That's frowned upon here.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.