blocking icmp protocol
Aleksandar Milivojevic
alex at milivojevic.org
Tue Dec 19 15:25:22 UTC 2006
Quoting tamer amr <tamer_linux at yahoo.com>:
> hi
>
> i can't disable the icmp with iptables
> i made the following command
>
> iptables -A INPUT -p icmp -s 192.168.1.125 -j DROP
>
> but still this ip can ping my host
Well, you got many helpfull answers already. However most people
speculated instead of asking you how your (other) firewall rules look
like. And to really help you, we'd need to have at least a high level
overview of how your firewall rules look like.
BTW, blindly blocking ICMP completely is usually a bad idea. Unless
you want to block everything to/from particular host (in which case
you should block everything, not just ICMP). ICMP is used for way
more important things than just pinging around...
If you don't want to block all traffic to/from that host, you should
allow at least destination unreachable and time exceeded messages
(types 3 and 11) to pass through as long as they can be related to an
existing connection (you can use "-m state --state RELATED" in the
rule to check if packet is related to an existing connection). In
particular, destination unreachable might give you performance
improvements and easy the load a bit on your routers (the
"fragmentation needed and don't fragment was set" is subtype of
destination unreachable, and is needed for path MTU discovery to work
properly).
More information about the redhat-list
mailing list