Re: blocking icmp protocol



Quoting tamer amr <tamer_linux@xxxxxxxxx>:

hi

i can't disable the icmp with iptables
i made the following command

iptables -A INPUT -p icmp -s 192.168.1.125 -j DROP

but still this ip can ping my host

Well, you got many helpfull answers already. However most people speculated instead of asking you how your (other) firewall rules look like. And to really help you, we'd need to have at least a high level overview of how your firewall rules look like.

BTW, blindly blocking ICMP completely is usually a bad idea. Unless you want to block everything to/from particular host (in which case you should block everything, not just ICMP). ICMP is used for way more important things than just pinging around...

If you don't want to block all traffic to/from that host, you should allow at least destination unreachable and time exceeded messages (types 3 and 11) to pass through as long as they can be related to an existing connection (you can use "-m state --state RELATED" in the rule to check if packet is related to an existing connection). In particular, destination unreachable might give you performance improvements and easy the load a bit on your routers (the "fragmentation needed and don't fragment was set" is subtype of destination unreachable, and is needed for path MTU discovery to work properly).



--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list



Relevant Pages

  • Re: Client-Server VPN not able to see Inside network
    ... You usually want to restrict the icmp that are allowed inward, ... access-list acl-in permit ip host 192.168.128.10 any ... during the middle of a connection.) ...
    (comp.dcom.sys.cisco)
  • Re: Yet another thread on the legality of port scanning
    ... Which portthe packets are sent to is ... If I do a "nice", normal portscan on a host - via TCP, UDP or ICMP I am ... This sort of behavior is ... If I try to flood your host with abnormally LARGE ICMP packets endlessly ...
    (Security-Basics)
  • Re: Interesting packets
    ... Really ICMP has many types, but ICMP is encapsulated in IP datagrams. ... Transportīs headers (UDP or TCP) are included in ICMP error messages. ... > find that ur host x.x.x.4 tried trace route or (some other type of ICMP ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: ICMP packets?
    ... ICMP is used to diagnose problems. ... sometimes to tell your host that you cannot reach parts of a network. ... I allow every ICMP types besides 8. ... Subject: ICMP packets? ...
    (comp.security.firewalls)
  • Re: Solution to Denial Of Service Attack
    ... > TCP RST ... > ICMP (Host un) ... > ICMP ... yada yada yada ... ...
    (comp.security.misc)