How can I block every PING / ICMP traffic?

[XoK]

Hello,

I have a dedicated server with CentOS.

1 - I want to block every PING / ICMP, how can I do it?

2 - If possible, I want also not to send the instruction to kill the connection (SYN SENT, I guess it is called that), if anyone uses a port scanner the threads stays connected a lot of time to make a connection timeout, because it is waiting for the response and it is never sent.


Regards,

[Rob]

After doing a small amount of searching on google, blocking ping / ICMP requests can be done by issuing the following commands to IP Tables

iptables -A INPUT -p icmp --icmp-type 8 -s SourceIPAddress -j DROP

or by doing

or
echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all

[XoK]

And modifying IPTABLES is persistant?

For example, if there is a machine restart, the settings are mantained?

The other command I did not understood.


(I am very "noob" at linux... so any help is welcome on this)

[wgiese]

After doing a small amount of searching on google, blocking ping / ICMP requests can be done by issuing the following commands to IP Tables

iptables -A INPUT -p icmp --icmp-type 8 -s SourceIPAddress -j DROP

I'll take your word for it...but the above is missing a few steps, that in this case would probably be desirable. iptables commands will be lost across reboots, unless one takes steps to make them persistent.

To help with this, iptables-save will dump the current rules, iptables-restore does what it sounds like.

[XoK]

Thank for the help from all.

I was able to Google and do it from there... I was missing "service iptables restart" to load settings.

Anyway I have found a great tutorial here, point 4:
http://wiki.slicehost.com/doku.php?i...y_and_ django

=====================

4. Configure firewall (iptables)
Install iptables:

sudo yum -y install iptables
Edit iptables config file:

sudo vi /etc/sysconfig/iptablesPaste these settings:

# By default drop all incoming and forwarded traffic
# Allow all outgoing traffic
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Allow returning packets
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow incoming traffic on ports 80 and 443 for web server
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allow local traffic
-A INPUT -i lo -j ACCEPT

# Allow ping
-A INPUT -p icmp --icmp-type ping -j ACCEPT

# Allow incoming SSH
-A INPUT -p tcp --dport 22 -j ACCEPT

COMMITSave the file ( ZZ )

Change permissions on the iptables config file so only root can read it:

sudo chmod go-r /etc/sysconfig/iptables
Restart iptables service:

sudo service iptables restart

=====================================


I had left iptables file as is, and pasted before COMMIT, with DROP instead of ACCEPT on PING :

«««««««««««««««««««««««««««««

# Allow returning packets
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow incoming traffic on ports 80 and 443 for web server
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allow local traffic
-A INPUT -i lo -j ACCEPT

# Disable ping
-A INPUT -p icmp --icmp-type ping -j DROP

# Allow incoming SSH
-A INPUT -p tcp --dport 22 -j ACCEPT

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

service iptables restart


Up and running... no ping for anyone!

Regards,