Stop Ping??
Robb
I am using RH7.3 and I put the following line in the file /etc/rc.d/init.d/iptables
echo "1" > /proc/sys/net/ipv4/ icmp_echo_ignore_broadcasts
but, still some one can ping my machine and gets the reply(my friends can confirm it from their machines).
I changed the line to
echo 1 > /proc/sys/net/ipv4/ icmp_echo_ignore_broadcasts
the result is the same.
I did something wrong?(different file or different file folder????)
Your kind help(hint or info or any idea) will be appreciated greatly
Robb
dave
How about iptables -A INPUT -p icmp -j DROP ?
--
dave
Menno Duursma
> Hi all,
>
> I am using RH7.3 and I put the following line in the file
> /etc/rc.d/init.d/iptables
>
> echo "1" > /proc/sys/net/ipv4/ icmp_echo_ignore_broadcasts
>
> but, still some one can ping my machine and gets the reply
> (my friends can confirm it from their machines).
As it should.
This only disables answering ICMP broadcasts (as the name suggests).
If you want to disable all pings use, either:
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_all=1
Or:
echo '0' >/proc/sys/net/ipv4/icmp_echo_ignore_all
> I changed the line to
>
> echo 1 > /proc/sys/net/ipv4/ icmp_echo_ignore_broadcasts
>
> the result is the same.
Well, that is becouse the statement will do the same.
(Ie, overwrite the file with a new file containing the character '1'.)
> I did something wrong?
Depends on what you wanted done.
> (different file or different file folder????)
Maybe.
> Your kind help(hint or info or any idea) will be appreciated greatly
Ok, note though setting your box to not answer any ICMP echo requests will
brake being a DHCP client. As the server might `ping' you to see if the IP
adress is still in use, or that it can give it to some other host which
wants a new lease. So if you fail to answer it might result in conflicts
of MAC to IP mapping.
And it will not by you any securety (if that's the point).
Disableing answser to ICMP echo broadcasts however is a good thing, as it
avoids being a "dummy" in smurf attacks (a form of DDOS).
--
-Menno.
Menno Duursma
> Robb wrote:
>>
>> echo "1" > /proc/sys/net/ipv4/ icmp_echo_ignore_broadcasts
>>
>> but, still some one can ping my machine and gets the reply(my friends
>> can confirm it from their machines).
[...]
> How about iptables -A INPUT -p icmp -j DROP ?
That would brake normal trafic as ICMP is used for many of things.
(Read RFC792 if you want details.)
Simple way to drop any incomming trafic you don't want to reply to, is to
setup a statefull chain which checks if the packets are of a known
connection (you initiated) - a snipped relative to ICMP:
# Default policy:
iptables -P INPUT DROP
# Statefull input chain:
iptables -N STATE_IN
iptables -A STATE_IN -m state --state INVALID -j DROP
iptables -A STATE_IN -m state --state ESTABLISHED,RELATED -j ACCEPT
# Second and further fragments of fragmented packets (might brake stuff):
iptables -A INPUT -f -j DROP
# This should come after you allow pings from DHCP server to pass:
iptables -A INPUT -i ${EXT_IF} -d ${EXT_IP} -p icmp -j STATE_IN
--
-Menno.
Dmitry Rodin
R> I am using RH7.3 and I put the following line in the file /etc/rc.d/init.d/iptables
R> echo "1" > /proc/sys/net/ipv4/ icmp_echo_ignore_broadcasts
R> but, still some one can ping my machine and gets the reply(my friends can confirm it from their machines).
Use firewall. For example:
ipchains -A input --icmp-type echo-request -p ICMP -j REJECT -l
Bye,
\Dmitry
penguin-rox
or
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
if you did not want to use a stateful packet filter.