Allow/deny ping on Linux server – iptables rules for icmp

Managing PING through iptables

Allow/deny ping on Linux server. PING – Packet InterNet Gopher, is a computer network administration utility used to test the reachability of a host on an Internet Protocol (IP) network and to measure the total round-trip time for messages sent from the originating host to a destination computer and back.

Blocking PING on server is helpful sometimes, if the server is continue to face any type of DDoS attack by using the PING feature. By using iptables we can simply stop the PING option to and from your server. Before starting this, you must have an idea about What is iptables in Linux?

We can call it is the basics of Firewall in Linux. Iptables is a rule based firewall system and is normally pre-installed on a Unix operating system which is controlling the incoming and outgoing packets. By-default the iptables is running without any rules, we can create, add, edit rules to it. You will get more details from the abouve link. In this article I am going to explain how we can alow/block PING in and out to a server. This would be more useful as you are Linux server admin.

We can manage it by the help of ‘iptables‘. The ‘ping‘ is using ICMP to communicate. We can simply manage the ‘icmp : Internet Controlled Message Protocol’ from iptables.

Okay let’s start, Allow/deny ping on Linux server rules.

Allow/deny ping on Linux server
Allow/deny ping on Linux server

Required iptables command switches

The below pasted switches are required for creating a rule for managing icmp.

-A : Add a rule
-D : Delete rule from table
-p : To specify protocol (here 'icmp')
--icmp-type : For specifying type
-J : Jump to target

Normally using icmp types and its Codes Click here for ICMP Types and Codes

echo-request   :  8
echo-reply     :  0

Here I am explaining some examples.

What is iptables in Linux?

What is iptables in Linux? We can call, it’s the basics of Firewall for Linux. Iptables is a rule based firewall system and it is normally pre-installed on a Unix operating system which is controlling the incoming and outgoing packets. By-default the iptables is running without any rules, we can create, add, edit rules into it.

In this article I am trying to explain the basics of iptables with some common practices.

How to block PING to your server with an error message?

In this way you can partially block the PING with an error message ‘Destination Port Unreachable’. Add the following iptables rules to block the PING with an error message. (Use REJECT as Jump to target)

iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT

Example:

[root@support ~]# ping 109.200.11.67
PING 109.200.11.67 (109.200.11.67) 56(84) bytes of data.
From 109.200.11.67 icmp_seq=1 Destination Port Unreachable
From 109.200.11.67 icmp_seq=2 Destination Port Unreachable
From 109.200.11.67 icmp_seq=3 Destination Port Unreachable

To block without any messages use DROP as Jump to target.

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP

Allow Ping from Outside to Inside

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

How to block PING from your server?

In this way you can block PING option from your server to outside. Add these rules to your iptables to do the same.
Block PING operation with message ‘Operation not permitted’

iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP

Example:

root@test [~]# ping google.com
PING google.com (173.194.34.136) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

To block with out any error messages

For this, DROP the echo-reply to the INPUT chain of your iptables.

iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -p icmp --icmp-type echo-reply -j DROP

Allow Ping from Inside to Outside

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

You can use the icmp code instead of icmp-type name for adding rule to iptables.
That’s it. Try this and let me know your feedback.

Hooooray…. It’s time to relax!! Just watch A Breakfast Ride To Chota Ladakh

Related Posts

1. What is iptables in Linux ?
2. How to save/backup existing iptables rules to a file

Post navigation

Arunlal A

Senior System Developer at Zeta. Linux lover. Traveller. Let's connect! Whether you're a seasoned DevOps pro or just starting your journey, I'm always eager to engage with like-minded individuals. Follow my blog for regular updates, connect on social media, and let's embark on this DevOps adventure together! Happy coding and deploying!

23 thoughts on “Allow/deny ping on Linux server – iptables rules for icmp

  1. Thank you so very much for showing how to block pings using iptables. Would you be able to block pings using firewalld using the rich rules?

    Regards,

  2. Hi, I have an HP server with Centos. I used to login as root from outside. Yesterday for testing purposes I enabled the Selinux enforcing and reboot the server for relabeling. After that I am unable to ssh to the server. Cannot login locally as root even though Root login is permitted in sshd_config. I have disabled the Selinux now completely from sysconfig/selinux and rebooted the server and did the relabeling again using fixfiles command also. still, locally i cannot login from root as it gives me error “root logins are not allowed”(root login is permitted in sshdconf). I restarted the sshd service also but still it is not possible to login locally from root. remote login from ssh is also not possible. When I do ssh it gives me output of “connection timeout” and when i do ping it gives me “no answer from server”. The ILO is working fine.

  3. ¡Very useful post!

    You can also block ICMP IPv6 reply traffic using:

    iptables -A INPUT -p icmpv6 –icmp-type echo-request -j DROP

  4. Great stuff from you, man. I’ve read your stuff, and you’re just too dangerous. I love what youve got here, love what you say, and you say it. You make it entertaining and you still manage to keep it smart.

  5. How can I implement following requirement?
    Use iptables commands in the INPUT chain in Machine A to only accept a limited number of ICMP ping echo request packets from Machine B(assume IP address is 172.168.10.2), so that when we issue the command “ping -c 60 ” in Machine B, only the following ping requests are successful:
    icmp_seq = 1-7, 9, 13, 17, 21, 25, 29, 33, 37, 41, 45, 49, 53, 57
    Meanwhile, Machine A can receive all kinds of packets from other machine without any limitation.

  6. Hi crybit,
    We can use tip application for monitor status iptables ?
    if we have many server iptables running, and have someone stop or start service iptables. How to know issue?
    Thanks,

  7. Hello,
    how block ALL possibilities of pinging? My iptables is set to
    iptables -A INPUT -j sshguard
    ip6tables -A INPUT -j sshguard
    Thank You!

    1. Those are ICMP message types to test the hosts availability. This is explained in the following links:

      tcpipguide.com/free/t_ICMPv4EchoRequestandEchoReplyMessages.htm
      erg.abdn.ac.uk/users/gorry/course/inet-pages/icmp-code.html

Leave a Reply

Your email address will not be published. Required fields are marked *