Re: blocking icmp protocol



Quoting tamer amr <tamer_linux@xxxxxxxxx>:

hi

i can't disable the icmp with iptables
i made the following command

iptables -A INPUT -p icmp -s 192.168.1.125 -j DROP

but still this ip can ping my host

Well, you got many helpfull answers already. However most people speculated instead of asking you how your (other) firewall rules look like. And to really help you, we'd need to have at least a high level overview of how your firewall rules look like.

BTW, blindly blocking ICMP completely is usually a bad idea. Unless you want to block everything to/from particular host (in which case you should block everything, not just ICMP). ICMP is used for way more important things than just pinging around...

If you don't want to block all traffic to/from that host, you should allow at least destination unreachable and time exceeded messages (types 3 and 11) to pass through as long as they can be related to an existing connection (you can use "-m state --state RELATED" in the rule to check if packet is related to an existing connection). In particular, destination unreachable might give you performance improvements and easy the load a bit on your routers (the "fragmentation needed and don't fragment was set" is subtype of destination unreachable, and is needed for path MTU discovery to work properly).



--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list