Disable Ping with IPTables, CSF and the Kernel

disable ping

Sometimes it is a good idea to disable ping, for whatever reason. Ping is 2 of 16 parts of the ICMP (Internet Control Message Protocol). Naturally you might think it a good idea to disable ICMP totally, but often times simply disabling ping requests and ping responses is enough. There are many ways to disable Ping – in this entry we will cover three different ways. With IPTables, CSF and with a Kernel parameter.

Disabling Ping with IPTables

Disabling ping with IPTables is probably the most popular option of the three. Not because it is the best or worst method, but because it is the most standard method.

To block incoming ping requests and responses run the following commands:

Incorrectly configuring iptables can cause your server to become inaccessible.

sudo iptables -I INPUT 1 -p ICMP --icmp-type 8 -j DROP

In the above code, the -I option means to [-I]nsert, into line 1 of the INPUT chain. The -p is to specify what -[p]rotocol, and –icmp-type specifies which ICMP portion to disable. ICMP type 8 is for echo request. Disabling echo request will prevent incoming ping requests.

Allowing an IP to ping

In some cases it might be required to block ICMP ping requests, but allow them from certain hosts. In order for this to work we must create an IP specific rule in such a way that it gets interpreted before the DROP of all ICMP requests. To do this we must issue the following commands in order:

sudo iptables -I INPUT 1 -s x.x.x.x -p ICMP --icmp-type 8 -j ACCEPT
sudo iptables -I INPUT 2 -p ICMP --icmp-type 8 -j DROP

Where x.x.x.x is the server IP address of the host you want to allow. The -s option is the [-s]ource address of the allowed server.

To revert your changes, simple issue an sudo iptables -D followed by the line number of the rule you wish to delete.

Remember, iptables works from top down. This means that any rule that is processed will start from the top, and sequentially move down the list. Once a rule is matched it stops and does not process rules any further.

Disabling Ping with CSF

Disabling ping with CSF is extremely easy to do. Simply edit the /etc/csf/csf/csf.conf file and change the following parameters accordingly:

# Allow incoming PING
ICMP_IN = "1"

When you are finished execute:

sudo csf -ra

This will restart the firewall rules and then restart the lfd daemon. Both CSF and LFD should be restarted after making any changes to the configuration file.


Allowing an IP to ping

To my knowledge, the only way to accomplish this with CSF alone, is to add the source IP address into the /etc/csf/csf.allow file.

IP addresses added to /etc/csf/csf.allow will be allowed through iptables – meaning it will bypass any other rules, not just ICMP requests.

You may still use the IPTables option above to allow the host, however, in order to use a custom IPTables rule with csf, we must make the file /etc/csf/csfpre.sh and put the following in it:

iptables -I INPUT 1 -s x.x.x.x -p ICMP --icmp-type 8 -j ACCEPT

If we do not make a custom file that is loaded before the rest of the rules, then after a CSF restart – any custom rules will be erased. To counter this, custom rules must be placed in either /etc/csf/csfpre.sh or /etc/csf/csfpost.sh

I suggest you look through the whole CSF configuration file. There are tons of extremely helpful settings in there.

Disabling Ping with the Kernel

Sometimes you may want to disable ICMP altogether. In this case, the best way to accomplish this would be to do it at the kernel level. This assures you that ICMP will be disabled and no sort of application misconfiguration is going to make a difference.

In order to disable ICMP we need to issue the following command:

sudo echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

To re-enable, simply echo a “0” into the same file.

Another way to accomplish this is to edit /etc/sysctl.conf and append the following line:

net.ipv4.icmp_echo_ignore_all = 1

Troubleshooting

If you have applied the rule above, and ping requests are still coming through – check the output of:

sudo iptables -L

Make sure that there is no rule being interpreted first that allows ICMP requests.

About 

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *