Block Ping (ICMP) Responses in Linux System

 

 

Blocking ping responses from the system can prevent a system from hackers to ICMP flood DOS attacks. So it can be a best practice for system security but most of the online monitoring systems use ping requests for the monitoring system.

Disable Ping using iptables

You can simply block ICMP responses directly from the firewall (iptables) in any Linux systems.

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

The most simple method to block ping command on Linux systems is by adding an iptables rule, as shown in the below example. Iptables is a part of Linux kernel netfilter and, usually, is installed by default in most Linux environments.

# iptables -A INPUT --proto icmp -j DROP
# iptables -L -n -v  [List Iptables Rules]

 

How to block PING to your server with an error message?

In this way you can partially block the PING with an error message ‘Destination Port Unreachable’. Add the following iptables rules to block the PING with an error message. (Use REJECT as Jump to target)

iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT

Example:

[root@support ~]# ping 109.200.11.67
PING 109.200.11.67 (109.200.11.67) 56(84) bytes of data.
From 109.200.11.67 icmp_seq=1 Destination Port Unreachable
From 109.200.11.67 icmp_seq=2 Destination Port Unreachable
From 109.200.11.67 icmp_seq=3 Destination Port Unreachable

To block without any messages use DROP as Jump to target.

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP

Allow Ping from Outside to Inside

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

How to block PING from your server?

In this way you can block PING option from your server to outside. Add these rules to your iptables to do the same.
Block PING operation with message ‘Operation not permitted’

iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP

Example:

root@test [~]# ping google.com
PING google.com (173.194.34.136) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

To block with out any error messages

For this, DROP the echo-reply to the INPUT chain of your iptables.

iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -p icmp --icmp-type echo-reply -j DROP

Allow Ping from Inside to Outside

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

You can use the icmp code instead of icmp-type name for adding rule to iptables.
That’s it. Try this and let me know your feedback.

 

 

In Red Hat Enterprise Linux distribution that use Firewalld interface to manage iptables rules, add the below rule to drop ping messages.

# firewall-cmd --zone=public --remove-icmp-block={echo-request,echo-reply,timestamp-reply,timestamp-request} --permanent	
# firewall-cmd --reload

In order to test if the firewall rules had been successfully applied in all the cases discussed above, try to ping your Linux machine IP address from a remote system. In case ICMP messages are blocked to your Linux box, you should get a “Request timed out” or “Destination Host unreachable” messages on the remote machine.

 

Block Ping with Kernel Parameter

We can also block ping responses from the system by directly updating kernel parameters. In this, we can block ping responses temporarily or permanently as below.

Block Ping Temporarily

You can block temporarily block ping responses temporarily using following command

echo "1" >  /proc/sys/net/ipv4/icmp_echo_ignore_all

Block Ping Permanently

In place of blocking ping temporarily, You can block it permanently by adding the following parameter in /etc/sysctl.conf configuration file.

net.ipv4.icmp_echo_ignore_all = 1

Now execute the following command to apply settings immediately without rebooting the system.

sysctl -p