You are not logged in.

#1 2009-10-25 23:08:03

speng
Member
Registered: 2009-01-17
Posts: 136

[Solved]Blocking ICMP Ping requests

speng@spengpc ~ $ sudo iptables -L
Password: 
Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       icmp --  anywhere             anywhere            icmp address-mask-reply 
DROP       icmp --  anywhere             anywhere            icmp address-mask-request 
DROP       icmp --  anywhere             anywhere            icmp router-solicitation 
DROP       icmp --  anywhere             anywhere            icmp router-advertisement 
DROP       icmp --  anywhere             anywhere            icmp redirect 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
interfaces  all  --  anywhere             anywhere            
open       all  --  anywhere             anywhere            
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset 
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1337 
DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW 
DROP       all  -f  anywhere             anywhere            
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
DROP       icmp --  anywhere             anywhere            icmp echo-request 

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:1337 

Chain interfaces (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain open (1 references)
target     prot opt source               destination

I followed the wiki and I could still be pinged from the interwebs, then I copied and slightly modified the script in the wiki and I can still be pinged.

What am I doing wrong? I want to block all ping requests from outside my network.

Last edited by speng (2009-11-02 21:18:25)

Offline

#2 2009-10-26 01:29:13

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: [Solved]Blocking ICMP Ping requests

speng wrote:

What am I doing wrong? I want to block all ping requests from outside my network.

The ACCEPT here comes before your DROP echo-request below.

DROP       icmp --  anywhere             anywhere            icmp address-mask-reply 
DROP       icmp --  anywhere             anywhere            icmp address-mask-request 
DROP       icmp --  anywhere             anywhere            icmp router-solicitation 
DROP       icmp --  anywhere             anywhere            icmp router-advertisement 
DROP       icmp --  anywhere             anywhere            icmp redirect 
ACCEPT     icmp --  anywhere             anywhere

Move thise to come before the ACCEPT icmp above...

DROP       icmp --  anywhere             anywhere            icmp echo-request

Offline

#3 2009-10-28 16:47:04

speng
Member
Registered: 2009-01-17
Posts: 136

Re: [Solved]Blocking ICMP Ping requests

Thanks for posting fukawi2,

speng@spengpc ~ $ sudo iptables -L
Password: 
Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       icmp --  anywhere             anywhere            icmp address-mask-reply 
DROP       icmp --  anywhere             anywhere            icmp address-mask-request 
DROP       icmp --  anywhere             anywhere            icmp router-solicitation 
DROP       icmp --  anywhere             anywhere            icmp router-advertisement 
DROP       icmp --  anywhere             anywhere            icmp redirect 
DROP       icmp --  anywhere             anywhere            icmp echo-request 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
interfaces  all  --  anywhere             anywhere            
open       all  --  anywhere             anywhere            
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset 
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1337 
DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW 
DROP       all  -f  anywhere             anywhere            
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:1337 

Chain interfaces (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain open (1 references)
target     prot opt source               destination

New iptables, same problem, I can be pinged from outside my network.

Offline

#4 2009-10-28 21:38:51

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: [Solved]Blocking ICMP Ping requests

What address are you pinging? And what is the output of `ip a s`?

Offline

#5 2009-10-29 15:05:42

speng
Member
Registered: 2009-01-17
Posts: 136

Re: [Solved]Blocking ICMP Ping requests

I'm getting other people to ping me, that's what I want to block. big_smile

speng@spengpc ~ $ ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:1c:10:60:ab:fa brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.101/24 brd 192.168.1.255 scope global wlan0

Thanks for posting!

Offline

#6 2009-11-01 21:29:49

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: [Solved]Blocking ICMP Ping requests

speng wrote:

I'm getting other people to ping me, that's what I want to block. big_smile

You didn't answer my question wink

What address are you pinging?

Offline

#7 2009-11-01 23:52:24

Vamp898
Member
From: 東京
Registered: 2009-01-03
Posts: 891
Website

Re: [Solved]Blocking ICMP Ping requests

Maybe you want to try something like firestarter wink

aur/firestarter 1.0.3-8 (73)
    GUI fron-end for iptables

Offline

#8 2009-11-02 20:29:03

speng
Member
Registered: 2009-01-17
Posts: 136

Re: [Solved]Blocking ICMP Ping requests

fukawi2 wrote:
speng wrote:

I'm getting other people to ping me, that's what I want to block. big_smile

You didn't answer my question wink

What address are you pinging?

78.33.200.65

And I don't really want to use firestarter, I want to do it in iptables. I've been checking guides as well, I'm pretty sure I'm doing it right.

I was able to block myself sending ping requests but I can't seem to be able to block incoming requests.

Offline

#9 2009-11-02 20:59:44

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: [Solved]Blocking ICMP Ping requests

OK, there's your problem...

The output from `ip a s` above shows that the IP address of *your computer* is 192.168.1.101. The 78.33.200.65 address you are pinging is assigned to your modem/router, so it is what is responding to the pings -- they never reach your computer. If you try pinging the 192.168.1.101 address from another computer on your local network, then the ping's will be dropped. The appear 'invisible' to the internet, you'll need to configure your modem to drop ICMP echo-requests.

Offline

#10 2009-11-02 21:10:18

speng
Member
Registered: 2009-01-17
Posts: 136

Re: [Solved]Blocking ICMP Ping requests

fukawi2 wrote:

OK, there's your problem...

The output from `ip a s` above shows that the IP address of *your computer* is 192.168.1.101. The 78.33.200.65 address you are pinging is assigned to your modem/router, so it is what is responding to the pings -- they never reach your computer. If you try pinging the 192.168.1.101 address from another computer on your local network, then the ping's will be dropped. The appear 'invisible' to the internet, you'll need to configure your modem to drop ICMP echo-requests.

Perfect answer, thanks. big_smile

Pretty stupid of me though, I should know these things.

Offline

Board footer

Powered by FluxBB