Archive for November 9th, 2007
Rejecting “ping” to your linux server
Sometimes you’re so paranoid so you don’t like
others to “ping” your server. How to do this?
Read the article below to get the answer
I assume our linux IP server is 10.160.154.102
In normal condition we can ping like this:
c:>ping 10.160.154.102
Pinging 10.160.154.102 with 32 bytes of data:
Reply from 10.160.154.102: bytes=32 time<10ms TTL=64
Reply from 10.160.154.102: bytes=32 time<10ms TTL=64
Reply from 10.160.154.102: bytes=32 time<10ms TTL=64
Reply from 10.160.154.102: bytes=32 time<10ms TTL=64
Ping statistics for 10.160.154.102:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
But if we reject this ICMP echo-request using iptables like this
iptables -I INPUT -p icmp --icmp-type echo-request -j REJECT
Now we get destination port unreachable
C:>ping 10.160.154.102
Pinging 10.160.154.102 with 32 bytes of data:
Reply from 10.160.154.102: Destination port unreachable.
Reply from 10.160.154.102: Destination port unreachable.
Reply from 10.160.154.102: Destination port unreachable.
Reply from 10.160.154.102: Destination port unreachable.
Ping statistics for 10.160.154.102:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Actually our server is not purely drop the ICMP packet, but simply
send ICMP destination-unreachable. If we want to drop it, then you use
this iptables command
iptables -I INPUT -p icmp --icmp-type echo-request -j DROP
Now the ping result will be different:
C:>ping 10.160.154.102
Pinging 10.160.154.102 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.160.154.102:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
So, happy protecting
