• VMware

    Learn about VMware virtualization for its products like vsphere ESX and ESXi, vCenter Server, VMware View, VMware P2V and many more

  • Linux

    Step by step configuration tutorials for many of the Linux services like DNS, DHCP, FTP, Samba4 etc including many tips and tricks in Red Hat Linux.

  • Database

    Learn installation and configuration of databases like Oracle, My SQL, Postgresql, etc including many other related tutorials in Linux.

  • Life always offers you a second chance ... Its called tomorrow !!!

    Thursday, March 06, 2014

    Iptables rules to block/allow icmp ping request in Linux

    In this article I will show you different ways to block or allow incoming and outgoing icmp ping request in your Linux server.

    Block ICMP ping request from all the servers in my network 192.168.1.0/24 towards my localhost 192.168.1.6
    [root@test1 ~]# iptables -I INPUT -s 192.168.1.0/24 -p icmp -j DROP
    Try to ping from any other machine of same network
    [root@test ~]# ping 192.168.1.6
    PING 192.168.1.6 (192.168.1.6) 56(84) bytes of data.
    ^C
    --- 192.168.1.6 ping statistics ---
    3 packets transmitted, 0 received, 100% packet loss, time 2949ms

    In the above test 3 packets were transmitted but none of them were received. As you can see below 3 packets were blocked by the INPUT chain in our localhost
    [root@test1 ~]# iptables -L -v
    Chain INPUT (policy ACCEPT 28 packets, 2004 bytes)
     pkts bytes target     prot opt in     out     source               destination
        3   252 DROP       icmp --  any    any     192.168.1.0/24       anywhere

    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination

    Chain OUTPUT (policy ACCEPT 18 packets, 1688 bytes)
     pkts bytes target     prot opt in     out     source               destination

    Block ALL the outgoing ping request

    [root@test1 ~]# iptables -I OUTPUT -d 192.168.1.0/24 -p icmp -j DROP
    [root@test1 ~]# ping 192.168.1.2
    PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
    ping: sendmsg: Operation not permitted
    ping: sendmsg: Operation not permitted
    ping: sendmsg: Operation not permitted

    ^C
    --- 192.168.1.2 ping statistics ---
    3 packets transmitted, 0 received, 100% packet loss, time 2183ms

    As you see above 3 packets made an attempt to send an icmp request to 192.168.1.0/24 but as it says "operation not permitted"
    [root@test1 ~]# iptables -v -L
    Chain INPUT (policy ACCEPT 38 packets, 2548 bytes)
     pkts bytes target     prot opt in     out     source               destination

    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination

    Chain OUTPUT (policy ACCEPT 25 packets, 2688 bytes)
     pkts bytes target     prot opt in     out     source               destination
        3   252 DROP       icmp --  any    any     anywhere             192.168.1.0/24

    You can also use extra arguments for icmp request types
    1. echo-request (ping)
    2. echo-reply (pong)

    When you are trying to ping a server, basically you are sending a echo-request to that server and that server once receives the request, it will reply with echo-reply.

    Block all outgoing echo-reply for echo-request coming from 192.168.1.0/24 using OUTPUT chain
    # iptables -I OUTPUT -s 192.168.1.0/24 -p icmp --icmp-type echo-reply -j DROP
    Now try to ping from any of the machine of same network
    [root@test ~]# ping 192.168.1.6
    PING 192.168.1.6 (192.168.1.6) 56(84) bytes of data.
    ^C
    --- 192.168.1.6 ping statistics ---
    3 packets transmitted, 0 received, 100% packet loss, time 2521ms

    As you can see 3 packets were blocked in the OUTPUT chain
    [root@test1 ~]# iptables -L -v
    Chain INPUT (policy ACCEPT 26 packets, 1952 bytes)
     pkts bytes target     prot opt in     out     source    destination

    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source    destination

    Chain OUTPUT (policy ACCEPT 16 packets, 1504 bytes)
     pkts bytes target   prot opt in   out  source           destination
        3   252 DROP     icmp --  any  any  192.168.1.0/24   anywhere   icmp echo-reply


    Block all ICMP incoming traffic for ESTABLISHED connection only
    # iptables -I INPUT -s 192.168.1.0/24 -p icmp -m state --state ESTABLISHED -j DROP
    Try to ping from any other machine of same network
    [root@test ~]# ping 192.168.1.6
    PING 192.168.1.6 (192.168.1.6) 56(84) bytes of data.
    64 bytes from 192.168.1.6: icmp_seq=1 ttl=64 time=2.00 ms
    ^C
    --- 192.168.1.6 ping statistics ---
    4 packets transmitted, 1 received, 75% packet loss, time 3092ms


    Do you see something unusual above?
    The first packet was sent properly which means node 1 sent with SYN signal which was accepted by node 2 with SYN/ACK signal and sent ACK signal back to node 1 (TCP 3 way handshake). So once the connection was established no further icmp request was allowed as you see out of 4 packets 1 was transmitted successfully and 3 were dropped.

    [root@test1 ~]# iptables -L -v
    Chain
    INPUT (policy ACCEPT 28 packets, 2121 bytes)
     pkts bytes target     prot opt in     out     source               destination
       
    3   252 DROP       icmp --  any    any     192.168.1.0/24       anywhere            state ESTABLISHED

    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination

    Chain OUTPUT (policy ACCEPT 18 packets, 1620 bytes)
     pkts bytes target     prot opt in     out     source               destination

    You can do the same for other state condition as well
    # iptables -I INPUT -s 192.168.1.0/24 -p icmp -m state --state NEW,ESTABLISHED,RELATED -j DROP

    State
    Description
    NEW
    meaning that the packet has started a new connection, or otherwise  associated with a connection which has not seen packets in both directions
    ESTABLISHED
    meaning that the packet is associated with a connection which has seen packets in both directions
    RELATED
    meaning that the packet is starting a new connection, but is  associated  with an existing connection, such as an FTP data transfer, or an ICMP error
    So I hope I made my self clear. Please let me know your success and failures


    Related Articles
    Iptables rules to allow/block ssh incoming/outgoing connection in Linux
    iptables rules for Samba 4 in Red Hat Linux
    Basic iptables tutorial in Linux I
    Basic iptables tutorial in Linux II
    Iptables for Samba server


    Follow the below links for more tutorials

    Step by Step Linux Boot Process Explained In Detail
    Configure Red Hat Cluster using VMware, Quorum Disk, GFS2, Openfiler
    Tutorial for Monitoring Tools SAR and KSAR with examples in Linux
    How to configure Samba 4 Secondary Domain Controller
    How to secure Apache web server in Linux using password (.htaccess)
    How to register Red Hat Linux with RHN (Red Hat Network )
    15 tips to enhance security of your Linux machine
    Why is Linux more secure than windows and any other OS
    What is the difference between "su" and "su -" in Linux?
    What is kernel-PAE in Linux?
    What is swappiness and how do we change its value?
    How to log iptables messages in different log file
    What are the s and k scripts in the etc rcx.d directories
    How to check all the currently running services in Linux
    How to auto start service after reboot in Linux
    What is virtual memory, paging and swap space?

    0 comments:

    Post a Comment