Blocking ICMP Echo Requests (Pings) to your Linux Firewall with iptables

It is generally considered poor form and a violation of some arcane RFC for a host to ignore ICMP echo requests (common "pings") and turning them off does not afford you any additional "security" per se. That being said there are a number of very good reasons you might want to ignore pings in the wild. Due to the amount of time it takes to accurately port scan a host, bulk scanning operations generally ping a host to determine if it is worth spending the time and resources needed to scan the address. If your host is configured to drop pings you instantly take yourself off the radar of such robots, sparing your resources for say combating directed attacks rather than the automated attacks that follow such scans.

If you're dealing with a single host it isn't necessary to specify the IP or interface but on a firewall you probably want to be able to ping its internal interface from the internal network. We're going to assume that eth0 represents the external interface:

# iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP

To specify an IP or subnet use the -s flag in place of -i. The --icmp-type 8 flag specifies that only ICMP echo requests are to be blocked, we want to leave type 0 replies alone so hosts behind and including the firewall can ping and receive responses from hosts beyond the router/firewall.

You may have existing chains that accept pings, you must delete these. For example:

# iptables-save | grep icmp -A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP

You can see our rule at the bottom. The third rule from the top conflicts with this so let's remove it:

# iptables -D INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT

As you can see, it's as simple as switching the add (-A) flag to delete (-D) and now our rule works. To automate this process you should add these lines to your firewall startup script or your "local" init script where available.

To save these rules on gentoo make sure you have the iptables init script in the default runlevel and run:

# /etc/init.d/iptables save

if there is no conflicting firewall script that adds an ACCEPT rule for ICMP requests. Otherwise you may wish to use /etc/conf.d/local.start.

ClearOS users should add something like this to /etc/rc.d/rc.firewall.local:

/sbin/iptables -D INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT /sbin/iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP


There are no comments for this item.