You are not logged in.

#1 2013-02-10 11:18:13

Grant
Member
From: Italy
Registered: 2012-12-15
Posts: 246

Iptables doesn't drop ping

Hello,

I would like to drop the pings with iptables. I have set these rules:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds flags:FIN,SYN,RST,ACK/SYN
DROP       tcp  --  anywhere             anywhere             tcp dpt:nsrp flags:FIN,SYN,RST,ACK/SYN
DROP       tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn flags:FIN,SYN,RST,ACK/SYN
DROP       icmp --  anywhere             anywhere             icmp echo-request

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       icmp --  anywhere             anywhere             icmp echo-reply

Pinging localhost doesn't reply, but from the external it does. Why?

Last edited by Grant (2014-09-08 09:26:32)

Offline

#2 2013-02-10 12:03:59

debijan
Member
Registered: 2010-09-14
Posts: 37

Re: Iptables doesn't drop ping

Hi Grant,

maybe the Forward chain take effekt due to your routing.
Please provide output of:
$ iptables -vnL
$ cat /proc/sys/net/ipv4/ip_forward

Offline

#3 2013-02-10 12:16:10

Grant
Member
From: Italy
Registered: 2012-12-15
Posts: 246

Re: Iptables doesn't drop ping

Hi debijan. Thanks for your reply.

[black@black ~]$ sudo iptables -vnL
Chain INPUT (policy ACCEPT 2306 packets, 1137K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445 flags:0x17/0x02
    0     0 DROP       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:7170 flags:0x17/0x02
    0     0 DROP       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:139 flags:0x17/0x02
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2486 packets, 367K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0
[black@black ~]$ cat /proc/sys/net/ipv4/ip_forward
0
[black@black ~]$ 

Should I add the echo-reply and echo-request in the forwad?

Last edited by Grant (2014-09-08 09:29:16)

Offline

#4 2013-02-10 12:48:45

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Iptables doesn't drop ping

That still doesn't show all the details. Better to show the output of:

iptables-save

Offline

#5 2013-02-10 12:54:46

Grant
Member
From: Italy
Registered: 2012-12-15
Posts: 246

Re: Iptables doesn't drop ping

[black@black ~]$ sudo iptables-save
[sudo] password for black: 
# Generated by iptables-save v1.4.16.3 on Sun Feb 10 13:54:19 2013
*filter
:INPUT ACCEPT [40928:34865044]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [39255:5461608]
-A INPUT -i ppp0 -p tcp -m tcp --dport 445 --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -i ppp0 -p tcp -m tcp --dport 7170 --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -i ppp0 -p tcp -m tcp --dport 139 --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j DROP
COMMIT
# Completed on Sun Feb 10 13:54:19 2013

Offline

#6 2013-02-11 13:31:20

Grant
Member
From: Italy
Registered: 2012-12-15
Posts: 246

Re: Iptables doesn't drop ping

And so what I have to do?

Offline

#7 2013-02-11 13:59:51

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Iptables doesn't drop ping

Swap the 8 and 0 around wink

See e.g. example.

Offline

#8 2013-02-11 21:20:58

Grant
Member
From: Italy
Registered: 2012-12-15
Posts: 246

Re: Iptables doesn't drop ping

Is rigth?

:INPUT ACCEPT [34686:30346241]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [31938:4644858]
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j DROP
COMMIT

Offline

#9 2013-02-11 23:11:37

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: Iptables doesn't drop ping

Have a look again at the examples in the link brebs gave you.

Offline

#10 2013-02-12 09:29:18

Grant
Member
From: Italy
Registered: 2012-12-15
Posts: 246

Re: Iptables doesn't drop ping

Well. I have done like the example (I believe):

[root@black black]# ping -c 2 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

--- 127.0.0.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1008ms

[root@black black]# ping -c 2 79.55.152.8
PING 79.55.152.8 (79.55.152.8) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

--- 79.55.152.8 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1008ms

[root@black black]# iptables-save
:INPUT ACCEPT [149:39761]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [170:19652]
-A INPUT -p tcp -m tcp --dport 80 -j DROP
-A INPUT -p tcp -m tcp --dport 139 -j DROP
-A INPUT -p tcp -m tcp --dport 445 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 0 -j DROP
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j DROP
[root@black black]# 

But why this site (and others) http://ping.eu/ping/ can ping me?

Maybe sysctl.conf has some problem (some time ago I tried to use it to drop pings)?

[root@black black]# cat /etc/sysctl.conf
# Configuration file for runtime kernel parameters.
# See sysctl.conf(5) for more information.

# Have the CD-ROM close when you use it, and open when you are done.
#dev.cdrom.autoclose = 1
#dev.cdrom.autoeject = 1

# Protection from the SYN flood attack.
net.ipv4.tcp_syncookies = 1

# See evil packets in your logs.
#net.ipv4.conf.all.log_martians = 1

# Never accept redirects or source routes (these are only useful for routers).
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_source_route = 0

# Disable packet forwarding.
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0

# Tweak the port range used for outgoing connections.
#net.ipv4.ip_local_port_range = 32768 61000

# Tweak those values to alter disk syncing and swap behavior.
#vm.vfs_cache_pressure = 100
#vm.laptop_mode = 0
#vm.swappiness = 60

# Tweak how the flow of kernel messages is throttled.
#kernel.printk_ratelimit_burst = 10
#kernel.printk_ratelimit = 5

# Reboot 600 seconds after kernel panic or oops.
#kernel.panic_on_oops = 1
#kernel.panic = 600

# Disable SysRq key to avoid console security issues.
kernel.sysrq = 0

#Ping disabling
net.ipv4.icmp_echo_ignore_all = 1

[root@black black]# 

The Ping disabling "section"  disabling is mine, clearly.

Offline

#11 2013-02-12 18:37:13

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: Iptables doesn't drop ping

Please confirm your connection-setup for us:
Can it be that the Wan-ping reply to ping.eu comes from your internet-router (and perhaps doing NAT) in front of the machine that we look at?

Offline

#12 2013-02-12 20:34:58

Grant
Member
From: Italy
Registered: 2012-12-15
Posts: 246

Re: Iptables doesn't drop ping

Sorry, I'm not a networks expert.
If I have understood, do you mean that iptables should  drop requests from 192.168.1.x (x=73 in my case)?
Else please be clearer.

Ps: but why iptables and sysctl both don't work? I think there's something wrong elsewhere.

Last edited by Grant (2014-09-08 09:30:29)

Offline

#13 2013-02-12 22:10:15

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: Iptables doesn't drop ping

Grant wrote:

Sorry, I'm not a networks expert.
If I have understood, do you mean that iptables should to drop requests from 192.168.1.x (x=73 in my case)?

Yes, probably (you dont explain to us what 192.168.1.73 is).

I was asking whether you have an internet router which might replying to the pings, before they reach your box:
ping.eu pings (1) --> your internetrouter replies back with echo-reply (2) before forwarding -->  to your machine (3) (which then drops it (4))

Is the question clear now?

Offline

#14 2013-02-12 22:12:16

Grant
Member
From: Italy
Registered: 2012-12-15
Posts: 246

Re: Iptables doesn't drop ping

I'm seeing everywhere that for blocking ping, you should use this statement:

iptables -A INPUT -j DROP -p icmp --icmp-type echo-request

But why in my machine doesn't work!?!

ps: added before your message.

Last edited by Grant (2014-09-08 09:30:48)

Offline

#15 2013-02-12 22:14:31

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Iptables doesn't drop ping

Grant wrote:

I would to drop the pings with iptables. I have set these statements:

ICMP (including ping) is not the enemy: http://www.itchannelinsight.com/2012/10/icmp/

Offline

#16 2013-02-12 22:16:19

Grant
Member
From: Italy
Registered: 2012-12-15
Posts: 246

Re: Iptables doesn't drop ping

Maybe is like you say. This is my router: Alice Gate VoIP.

Ps: infact iptables -vnL (after ping) says that there isno ping request incoming/exiting. But ping localhost  is dropped.
And so what I can do?

Last edited by Grant (2014-09-08 09:31:17)

Offline

#17 2013-02-12 22:36:15

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: Iptables doesn't drop ping

Routers usually have an option for allowing/disallowing pings from WAN. Have a look at its menu options!

Actually though you should consider fukawi's comment. ICMP is necessary/important for controlled network flows. Not much harm coming from it these days.
Why do you want to disallow pings anyway?

Offline

#18 2013-02-13 09:46:37

Grant
Member
From: Italy
Registered: 2012-12-15
Posts: 246

Re: Iptables doesn't drop ping

For me is useless. Why should anyone know my IP? Port scanning? Sniffing?
But I should change my router to block the echo-reply. May we analize some other options please?

Last edited by Grant (2014-09-08 09:32:32)

Offline

#19 2013-02-13 09:55:43

Bebo
Member
From: Göteborg, Sweden
Registered: 2006-06-07
Posts: 207

Re: Iptables doesn't drop ping

I must say, I don't understand your ruleset. Why do you accept stuff by default, and then only drop a few very specific things?

Offline

#20 2013-02-13 10:01:59

Grant
Member
From: Italy
Registered: 2012-12-15
Posts: 246

Re: Iptables doesn't drop ping

Bebo wrote:

I must say, I don't understand your ruleset. Why do you accept stuff by default, and then only drop a few very specific things?

What are you referring?

Offline

#21 2013-02-13 10:03:20

Bebo
Member
From: Göteborg, Sweden
Registered: 2006-06-07
Posts: 207

Re: Iptables doesn't drop ping

You have ACCEPT as policy and then drop a few things. I would do it the other way around, set DROP as policy and only accept a few things.

Offline

#22 2013-02-13 10:06:05

Grant
Member
From: Italy
Registered: 2012-12-15
Posts: 246

Re: Iptables doesn't drop ping

I didn't know this thing. Thank you Bebo.
But why I should do this? As I said, I'm not a networks expert and not an iptables expert too.

Offline

#23 2013-02-13 10:22:33

Bebo
Member
From: Göteborg, Sweden
Registered: 2006-06-07
Posts: 207

Re: Iptables doesn't drop ping

It would give you a lot more control; deny by default, allow specific things. Below is a very simple strict ruleset. (Or kind of strict; I guess one could argue that a policy of accept in the OUTPUT chain is bad, but I myself don't see the need of controlling my outgoing traffic.) This ruleset drops all incoming traffic, except the traffic due to our own outgoing connections.

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

If you want to accept traffic from machines on your internal LAN, you could just add a line such as

iptables -A INPUT ! -i lo -m conntrack --ctstate NEW --source 192.168.0.0/24 -j ACCEPT

Here, I assume that you use 192.168.0.0/24 on your internal LAN.

Offline

#24 2013-02-13 11:39:49

Grant
Member
From: Italy
Registered: 2012-12-15
Posts: 246

Re: Iptables doesn't drop ping

Thanks. It's a good idea. I will try.
There is a way in iptables to know all packages incoming/outgoing?

Offline

#25 2013-02-14 16:00:48

Bebo
Member
From: Göteborg, Sweden
Registered: 2006-06-07
Posts: 207

Re: Iptables doesn't drop ping

Well, yeah, if you're just using the filter table (which is the default; the others are raw, nat and mangle), the incoming packets (to your machine) end up in the INPUT chain and the outgoing packets (from your machine) in the OUTPUT chain. (If you want some headache, look here, there is a flowchart at the bottom of the page.)

Or, was that what you asked? smile If you want to see them, you can either setup logging, or use tcpdump. Be careful with the logging though; a few years ago I put a LOG target in the wrong position and accidentally logged every packet. The log file filled the partition in a very short time...

Offline

Board footer

Powered by FluxBB