[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: blocking icmp protocol



Quoting tamer amr <tamer_linux yahoo com>:

hi

 i can't disable the icmp with iptables
 i made the following command

 iptables -A INPUT -p icmp -s 192.168.1.125 -j DROP

 but still  this ip can ping my host

Well, you got many helpfull answers already. However most people speculated instead of asking you how your (other) firewall rules look like. And to really help you, we'd need to have at least a high level overview of how your firewall rules look like.

BTW, blindly blocking ICMP completely is usually a bad idea. Unless you want to block everything to/from particular host (in which case you should block everything, not just ICMP). ICMP is used for way more important things than just pinging around...

If you don't want to block all traffic to/from that host, you should allow at least destination unreachable and time exceeded messages (types 3 and 11) to pass through as long as they can be related to an existing connection (you can use "-m state --state RELATED" in the rule to check if packet is related to an existing connection). In particular, destination unreachable might give you performance improvements and easy the load a bit on your routers (the "fragmentation needed and don't fragment was set" is subtype of destination unreachable, and is needed for path MTU discovery to work properly).





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]