You are not logged in.
Hello,
I would like to drop the pings with iptables. I have set these rules:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds flags:FIN,SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:nsrp flags:FIN,SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn flags:FIN,SYN,RST,ACK/SYN
DROP icmp -- anywhere anywhere icmp echo-request
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp echo-reply
Pinging localhost doesn't reply, but from the external it does. Why?
Last edited by Grant (2014-09-08 09:26:32)
Offline
Hi Grant,
maybe the Forward chain take effekt due to your routing.
Please provide output of:
$ iptables -vnL
$ cat /proc/sys/net/ipv4/ip_forward
Offline
Hi debijan. Thanks for your reply.
[black@black ~]$ sudo iptables -vnL
Chain INPUT (policy ACCEPT 2306 packets, 1137K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 flags:0x17/0x02
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7170 flags:0x17/0x02
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 flags:0x17/0x02
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2486 packets, 367K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
[black@black ~]$ cat /proc/sys/net/ipv4/ip_forward
0
[black@black ~]$
Should I add the echo-reply and echo-request in the forwad?
Last edited by Grant (2014-09-08 09:29:16)
Offline
That still doesn't show all the details. Better to show the output of:
iptables-save
Offline
[black@black ~]$ sudo iptables-save
[sudo] password for black:
# Generated by iptables-save v1.4.16.3 on Sun Feb 10 13:54:19 2013
*filter
:INPUT ACCEPT [40928:34865044]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [39255:5461608]
-A INPUT -i ppp0 -p tcp -m tcp --dport 445 --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -i ppp0 -p tcp -m tcp --dport 7170 --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -i ppp0 -p tcp -m tcp --dport 139 --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j DROP
COMMIT
# Completed on Sun Feb 10 13:54:19 2013
Offline
And so what I have to do?
Offline
Swap the 8 and 0 around
See e.g. example.
Offline
Is rigth?
:INPUT ACCEPT [34686:30346241]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [31938:4644858]
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j DROP
COMMIT
Offline
Have a look again at the examples in the link brebs gave you.
Offline
Well. I have done like the example (I believe):
[root@black black]# ping -c 2 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1008ms
[root@black black]# ping -c 2 79.55.152.8
PING 79.55.152.8 (79.55.152.8) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
--- 79.55.152.8 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1008ms
[root@black black]# iptables-save
:INPUT ACCEPT [149:39761]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [170:19652]
-A INPUT -p tcp -m tcp --dport 80 -j DROP
-A INPUT -p tcp -m tcp --dport 139 -j DROP
-A INPUT -p tcp -m tcp --dport 445 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 0 -j DROP
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j DROP
[root@black black]#
But why this site (and others) http://ping.eu/ping/ can ping me?
Maybe sysctl.conf has some problem (some time ago I tried to use it to drop pings)?
[root@black black]# cat /etc/sysctl.conf
# Configuration file for runtime kernel parameters.
# See sysctl.conf(5) for more information.
# Have the CD-ROM close when you use it, and open when you are done.
#dev.cdrom.autoclose = 1
#dev.cdrom.autoeject = 1
# Protection from the SYN flood attack.
net.ipv4.tcp_syncookies = 1
# See evil packets in your logs.
#net.ipv4.conf.all.log_martians = 1
# Never accept redirects or source routes (these are only useful for routers).
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_source_route = 0
# Disable packet forwarding.
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
# Tweak the port range used for outgoing connections.
#net.ipv4.ip_local_port_range = 32768 61000
# Tweak those values to alter disk syncing and swap behavior.
#vm.vfs_cache_pressure = 100
#vm.laptop_mode = 0
#vm.swappiness = 60
# Tweak how the flow of kernel messages is throttled.
#kernel.printk_ratelimit_burst = 10
#kernel.printk_ratelimit = 5
# Reboot 600 seconds after kernel panic or oops.
#kernel.panic_on_oops = 1
#kernel.panic = 600
# Disable SysRq key to avoid console security issues.
kernel.sysrq = 0
#Ping disabling
net.ipv4.icmp_echo_ignore_all = 1
[root@black black]#
The Ping disabling "section" disabling is mine, clearly.
Offline
Please confirm your connection-setup for us:
Can it be that the Wan-ping reply to ping.eu comes from your internet-router (and perhaps doing NAT) in front of the machine that we look at?
Offline
Sorry, I'm not a networks expert.
If I have understood, do you mean that iptables should drop requests from 192.168.1.x (x=73 in my case)?
Else please be clearer.
Ps: but why iptables and sysctl both don't work? I think there's something wrong elsewhere.
Last edited by Grant (2014-09-08 09:30:29)
Offline
Sorry, I'm not a networks expert.
If I have understood, do you mean that iptables should to drop requests from 192.168.1.x (x=73 in my case)?
Yes, probably (you dont explain to us what 192.168.1.73 is).
I was asking whether you have an internet router which might replying to the pings, before they reach your box:
ping.eu pings (1) --> your internetrouter replies back with echo-reply (2) before forwarding --> to your machine (3) (which then drops it (4))
Is the question clear now?
Offline
I'm seeing everywhere that for blocking ping, you should use this statement:
iptables -A INPUT -j DROP -p icmp --icmp-type echo-request
But why in my machine doesn't work!?!
ps: added before your message.
Last edited by Grant (2014-09-08 09:30:48)
Offline
I would to drop the pings with iptables. I have set these statements:
ICMP (including ping) is not the enemy: http://www.itchannelinsight.com/2012/10/icmp/
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
Maybe is like you say. This is my router: Alice Gate VoIP.
Ps: infact iptables -vnL (after ping) says that there isno ping request incoming/exiting. But ping localhost is dropped.
And so what I can do?
Last edited by Grant (2014-09-08 09:31:17)
Offline
Routers usually have an option for allowing/disallowing pings from WAN. Have a look at its menu options!
Actually though you should consider fukawi's comment. ICMP is necessary/important for controlled network flows. Not much harm coming from it these days.
Why do you want to disallow pings anyway?
Offline
For me is useless. Why should anyone know my IP? Port scanning? Sniffing?
But I should change my router to block the echo-reply. May we analize some other options please?
Last edited by Grant (2014-09-08 09:32:32)
Offline
I must say, I don't understand your ruleset. Why do you accept stuff by default, and then only drop a few very specific things?
Offline
I must say, I don't understand your ruleset. Why do you accept stuff by default, and then only drop a few very specific things?
What are you referring?
Offline
You have ACCEPT as policy and then drop a few things. I would do it the other way around, set DROP as policy and only accept a few things.
Offline
I didn't know this thing. Thank you Bebo.
But why I should do this? As I said, I'm not a networks expert and not an iptables expert too.
Offline
It would give you a lot more control; deny by default, allow specific things. Below is a very simple strict ruleset. (Or kind of strict; I guess one could argue that a policy of accept in the OUTPUT chain is bad, but I myself don't see the need of controlling my outgoing traffic.) This ruleset drops all incoming traffic, except the traffic due to our own outgoing connections.
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
If you want to accept traffic from machines on your internal LAN, you could just add a line such as
iptables -A INPUT ! -i lo -m conntrack --ctstate NEW --source 192.168.0.0/24 -j ACCEPT
Here, I assume that you use 192.168.0.0/24 on your internal LAN.
Offline
Thanks. It's a good idea. I will try.
There is a way in iptables to know all packages incoming/outgoing?
Offline
Well, yeah, if you're just using the filter table (which is the default; the others are raw, nat and mangle), the incoming packets (to your machine) end up in the INPUT chain and the outgoing packets (from your machine) in the OUTPUT chain. (If you want some headache, look here, there is a flowchart at the bottom of the page.)
Or, was that what you asked? If you want to see them, you can either setup logging, or use tcpdump. Be careful with the logging though; a few years ago I put a LOG target in the wrong position and accidentally logged every packet. The log file filled the partition in a very short time...
Offline