Allow/deny PING on Linux server – iptables rules for icmp

Managing PING through iptables

PING – Packet InterNet Gopher, is a computer network administration utility used to test the reachability of a host on an Internet Protocol (IP) network and to measure the total round-trip time for messages sent from the originating host to a destination computer and back.

Blocking PING on server is helpful sometimes, if the server is continue to face any type of DDoS attack by using the PING feature. By using iptables we can simply stop the PING option to and from your server. Before starting this, you must have an idea about What is iptables in Linux? We can call it is the basics of Firewall in Linux. Iptables is a rule based firewall system and is normally pre-installed on a Unix operating system which is controlling the incoming and outgoing packets. By-default the iptables is running without any rules, we can create, add, edit rules to it. You will get more details from the abouve link. In this article I am going to explain how we can alow/block PING in and out to a server. This would be more useful as you are Linux server admin.

We can manage it by the help of ‘iptables’. The ‘ping’ is using ICMP to communicate. We can simply manage the ‘icmp : Internet Controlled Message Protocol’ from iptables.


Required iptables command switches

The below pasted switches are required for creating a rule for managing icmp.

-A : Add a rule
-D : Delete rule from table
-p : To specify protocol (here 'icmp')
--icmp-type : For specifying type
-J : Jump to target

Normally using icmp types and its Codes Click here for ICMP Types and Codes

echo-request   :  8
echo-reply     :  0

Here I am explaining some examples.

How to block PING to your server with an error message?

In this way you can partially block the PING with an error message ‘Destination Port Unreachable’. Add the following iptables rules to block the PING with an error message. (Use REJECT as Jump to target)

iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT


[[email protected] ~]# ping
PING ( 56(84) bytes of data.
From icmp_seq=1 Destination Port Unreachable
From icmp_seq=2 Destination Port Unreachable
From icmp_seq=3 Destination Port Unreachable

To block without any messages use DROP as Jump to target.

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP

Allow Ping from Outside to Inside

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

How to block PING from your server?

In this way you can block PING option from your server to outside. Add these rules to your iptables to do the same.
Block PING operation with message ‘Operation not permitted’

iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP


[email protected] [~]# ping
PING ( 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

To block with out any error messages

For this, DROP the echo-reply to the INPUT chain of your iptables.

iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -p icmp --icmp-type echo-reply -j DROP

Allow Ping from Inside to Outside

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

You can use the icmp code instead of icmp-type name for adding rule to iptables.
That’s it. Try this and let me know your feedback.

Related Posts

1. What is iptables in Linux ?
2. How to save/backup existing iptables rules to a file

Arunlal Ashok

Linux Server Administrator. I'm dealing with Linux servers since 2012. I started this blog to share and discuss my ideas with the world. Check My Profile!! in uPwork (oDesk) and let me know if you need any assistance. Thanks!!

You may also like...

12 Responses

  1. noor sari says:

    Thank you so very much for showing how to block pings using iptables. Would you be able to block pings using firewalld using the rich rules?


  2. Muhammad abubakr quddusi says:

    Hi, I have an HP server with Centos. I used to login as root from outside. Yesterday for testing purposes I enabled the Selinux enforcing and reboot the server for relabeling. After that I am unable to ssh to the server. Cannot login locally as root even though Root login is permitted in sshd_config. I have disabled the Selinux now completely from sysconfig/selinux and rebooted the server and did the relabeling again using fixfiles command also. still, locally i cannot login from root as it gives me error “root logins are not allowed”(root login is permitted in sshdconf). I restarted the sshd service also but still it is not possible to login locally from root. remote login from ssh is also not possible. When I do ssh it gives me output of “connection timeout” and when i do ping it gives me “no answer from server”. The ILO is working fine.

  3. tamamesgarcia says:

    ¡Very useful post!

    You can also block ICMP IPv6 reply traffic using:

    iptables -A INPUT -p icmpv6 –icmp-type echo-request -j DROP

  4. Managed Services Dallas says:

    Great stuff from you, man. I’ve read your stuff, and you’re just too dangerous. I love what youve got here, love what you say, and you say it. You make it entertaining and you still manage to keep it smart.

  5. shuaiXue says:

    How can I implement following requirement?
    Use iptables commands in the INPUT chain in Machine A to only accept a limited number of ICMP ping echo request packets from Machine B(assume IP address is, so that when we issue the command “ping -c 60 ” in Machine B, only the following ping requests are successful:
    icmp_seq = 1-7, 9, 13, 17, 21, 25, 29, 33, 37, 41, 45, 49, 53, 57
    Meanwhile, Machine A can receive all kinds of packets from other machine without any limitation.

  6. Phirom Samat says:

    Hi crybit,
    We can use tip application for monitor status iptables ?
    if we have many server iptables running, and have someone stop or start service iptables. How to know issue?

  7. aditia says:


    how to save ip table that we create. so, when i restart the server ip table still there.

    thank you,

Leave a Reply

Your email address will not be published. Required fields are marked *