Sometimes it is a good idea to disable ping, for whatever reason. Ping is 2 of 16 parts of the ICMP (Internet Control Message Protocol). Naturally you might think it a good idea to disable ICMP totally, but often times simply disabling ping requests and ping responses is enough. There are many ways to disable Ping – in this entry we will cover three different ways. With IPTables, CSF and with a Kernel parameter.
Disabling Ping with IPTables
Disabling ping with IPTables is probably the most popular option of the three. Not because it is the best or worst method, but because it is the most standard method.
To block incoming ping requests and responses run the following commands:
sudo iptables -I INPUT 1 -p ICMP --icmp-type 8 -j DROP
In the above code, the -I option means to [-I]nsert, into line 1 of the INPUT chain. The -p is to specify what -[p]rotocol, and –icmp-type specifies which ICMP portion to disable. ICMP type 8 is for echo request. Disabling echo request will prevent incoming ping requests.
Allowing an IP to ping
In some cases it might be required to block ICMP ping requests, but allow them from certain hosts. In order for this to work we must create an IP specific rule in such a way that it gets interpreted before the DROP of all ICMP requests. To do this we must issue the following commands in order:
sudo iptables -I INPUT 1 -s x.x.x.x -p ICMP --icmp-type 8 -j ACCEPT sudo iptables -I INPUT 2 -p ICMP --icmp-type 8 -j DROP
Where x.x.x.x is the server IP address of the host you want to allow. The -s option is the [-s]ource address of the allowed server.
To revert your changes, simple issue an sudo iptables -D followed by the line number of the rule you wish to delete.
Disabling Ping with CSF
Disabling ping with CSF is extremely easy to do. Simply edit the /etc/csf/csf/csf.conf file and change the following parameters accordingly:
# Allow incoming PING ICMP_IN = "1"
When you are finished execute:
sudo csf -ra
This will restart the firewall rules and then restart the lfd daemon. Both CSF and LFD should be restarted after making any changes to the configuration file.
Allowing an IP to ping
To my knowledge, the only way to accomplish this with CSF alone, is to add the source IP address into the /etc/csf/csf.allow file.
You may still use the IPTables option above to allow the host, however, in order to use a custom IPTables rule with csf, we must make the file /etc/csf/csfpre.sh and put the following in it:
iptables -I INPUT 1 -s x.x.x.x -p ICMP --icmp-type 8 -j ACCEPT
If we do not make a custom file that is loaded before the rest of the rules, then after a CSF restart – any custom rules will be erased. To counter this, custom rules must be placed in either /etc/csf/csfpre.sh or /etc/csf/csfpost.sh
I suggest you look through the whole CSF configuration file. There are tons of extremely helpful settings in there.
Disabling Ping with the Kernel
Sometimes you may want to disable ICMP altogether. In this case, the best way to accomplish this would be to do it at the kernel level. This assures you that ICMP will be disabled and no sort of application misconfiguration is going to make a difference.
In order to disable ICMP we need to issue the following command:
sudo echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
To re-enable, simply echo a “0” into the same file.
Another way to accomplish this is to edit /etc/sysctl.conf and append the following line:
net.ipv4.icmp_echo_ignore_all = 1
If you have applied the rule above, and ping requests are still coming through – check the output of:
sudo iptables -L
Make sure that there is no rule being interpreted first that allows ICMP requests.