how to block the incomming ping

General discussion about Linux, Linux distribution, using Linux etc.

how to block the incomming ping

Postby farhanksa » Mon May 05, 2003 2:21 am

aoa

i want to block the incomming ping frame..bcs u can ping with the data of 65500 appox.
so how to bann of block the ping which i think works under ICMP
farhanksa
Subedar
 
Posts: 359
Joined: Sun Nov 03, 2002 6:40 am
ICQ: 116765501
WLM: farhan12@msn.com
Yahoo Messenger: commdsl@yahoo.com
Location: Lahore

Re: how to block the incomming ping

Postby LinuxFreaK » Mon May 05, 2003 8:14 am

Dear Farhan,
Use IPChains for Kernel Version 2.2.x or IPTables for Kernel Version 2.4.x. See the Example Below.
Best Regards.

For IPChains

#!/bin/sh
#
# ipchains.sh
#
# An example of a simple ipchains configuration.
#
# This script allows ALL outbound traffic, and denies
# ALL inbound connection attempts from the outside.
#
###################################################################
# Begin variable declarations and user configuration options ######
#
IPCHAINS=/sbin/ipchains
# This is the WAN interface, that is our link to the outside world.
# For pppd and pppoe users.
# WAN_IFACE="ppp0"
WAN_IFACE="eth0"

## end user configuration options #################################
###################################################################

# The high ports used mostly for connections we initiate and return
# traffic.
LOCAL_PORTS=`cat /proc/sys/net/ipv4/ip_local_port_range |cut -f1`:\
`cat /proc/sys/net/ipv4/ip_local_port_range |cut -f2`

# Any and all addresses from anywhere.
ANYWHERE="0/0"

# Let's start clean and flush all chains to an empty state.
$IPCHAINS -F

# Set the default policies of the built-in chains. If no match for any
# of the rules below, these will be the defaults that ipchains uses.
$IPCHAINS -P forward DENY
$IPCHAINS -P output ACCEPT
$IPCHAINS -P input DENY

# Accept localhost/loopback traffic.
$IPCHAINS -A input -i lo -j ACCEPT

# Get our dynamic IP now from the Inet interface. WAN_IP will be our
# IP address we are protecting from the outside world. Put this
# here, so default policy gets set, even if interface is not up
# yet.
WAN_IP=`ifconfig $WAN_IFACE |grep inet |cut -d : -f 2 |cut -d \ -f 1`

# Bail out with error message if no IP available! Default policy is
# already set, so all is not lost here.
[ -z "$WAN_IP" ] && echo "$WAN_IFACE not configured, aborting." && exit 1

# Accept non-SYN TCP, and UDP connections to LOCAL_PORTS. These are
# the high, unprivileged ports (1024 to 4999 by default). This will
# allow return connection traffic for connections that we initiate
# to outside sources. TCP connections are opened with 'SYN' packets.
$IPCHAINS -A input -p tcp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS ! -y -j ACCEPT

# We can't be so selective with UDP since that protocol does not
# know about SYNs.
$IPCHAINS -A input -p udp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS -j ACCEPT

## ICMP (ping)
#
# ICMP rules, allow the bare essential types of ICMP only. Ping
# request is blocked, ie we won't respond to someone else's pings,
# but can still ping out.
$IPCHAINS -A input -p icmp --icmp-type echo-reply \
-s $ANYWHERE -i $WAN_IFACE -j ACCEPT
$IPCHAINS -A input -p icmp --icmp-type destination-unreachable \
-s $ANYWHERE -i $WAN_IFACE -j ACCEPT
$IPCHAINS -A input -p icmp --icmp-type time-exceeded \
-s $ANYWHERE -i $WAN_IFACE -j ACCEPT

###################################################################
# Set the catchall, default rule to DENY, and log it all. All other
# traffic not allowed by the rules above, winds up here, where it is
# blocked and logged. This is the default policy for this chain
# anyway, so we are just adding the logging ability here with '-l'.
# Outgoing traffic is allowed as the default policy for the 'output'
# chain. There are no restrictions on that.

$IPCHAINS -A input -l -j DENY

echo "Ipchains firewall is up `date`."

##-- eof ipchains.sh

For IPTables

#!/bin/sh
#
# iptables.sh
#
# An example of a simple iptables configuration.
#
# This script allows ALL outbound traffic, and denies
# ALL inbound connection attempts from the Internet interface only.
#
###################################################################
# Begin variable declarations and user configuration options ######
#
IPTABLES=/sbin/iptables
# Local Interfaces
# This is the WAN interface that is our link to the outside world.
# For pppd and pppoe users.
# WAN_IFACE="ppp0"
WAN_IFACE="eth0"
#

## end user configuration options #################################
###################################################################

# Any and all addresses from anywhere.
ANYWHERE="0/0"

# This module may need to be loaded:
modprobe ip_conntrack_ftp

# Start building chains and rules #################################
#
# Let's start clean and flush all chains to an empty state.
$IPTABLES -F

# Set the default policies of the built-in chains. If no match for any
# of the rules below, these will be the defaults that IPTABLES uses.
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT DROP

# Accept localhost/loopback traffic.
$IPTABLES -A INPUT -i lo -j ACCEPT

## ICMP (ping)
#
# ICMP rules, allow the bare essential types of ICMP only. Ping
# request is blocked, ie we won't respond to someone else's pings,
# but can still ping out.
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply \
-s $ANYWHERE -i $WAN_IFACE -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable \
-s $ANYWHERE -i $WAN_IFACE -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
-s $ANYWHERE -i $WAN_IFACE -j ACCEPT

###################################################################
# Set the catchall, default rule to DENY, and log it all. All other
# traffic not allowed by the rules above, winds up here, where it is
# blocked and logged. This is the default policy for this chain
# anyway, so we are just adding the logging ability here with '-j
# LOG'. Outgoing traffic is allowed as the default policy for the
# 'output' chain. There are no restrictions on that.

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT
$IPTABLES -A INPUT -j LOG -m limit --limit 30/minute --log-prefix "Dropping: "

echo "Iptables firewall is up `date`."

##-- eof iptables.sh
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

Postby fawad » Mon May 05, 2003 8:21 pm

To just disable ping requests,

iptables -A INPUT -p icmp --icmp-type echo-request -i $WAN_IFACE -j DROP
fawad
Site Admin
 
Posts: 918
Joined: Wed Aug 07, 2002 8:00 pm
ICQ: 17672437
Website: http://www.fawad.net
WLM: fawadhalim@hotmail.com
Yahoo Messenger: fawad2048
AOL: fawadhalim
Location: Addison, IL

Postby lambda » Tue May 27, 2003 7:18 pm

fawad wrote:To just disable ping requests,

iptables -A INPUT -p icmp --icmp-type echo-request -i $WAN_IFACE -j DROP


blocking pings is generally useless. if you're being flooded off the net, blocking pings won't do any good: your bandwidth is saturated with packets before they get to your machine (and the above rule). all you can do is talk to your upstream about blocking pings for you.
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore

hi ..it sound good

Postby farhanksa » Fri May 30, 2003 9:16 am

aoa
ha i do agree.. if some one is pingin u with pingers...flooding..ur bandwidth i wasted.u can one stop the reply of it ....but still ur B/W is waisted..
same is the case i think with Lynx.. althoug it done show images..but on the responce to our resuest for any web page having pic... we only not shown the images..but they r responded from the web srver
farhanksa
Subedar
 
Posts: 359
Joined: Sun Nov 03, 2002 6:40 am
ICQ: 116765501
WLM: farhan12@msn.com
Yahoo Messenger: commdsl@yahoo.com
Location: Lahore

Postby fawad » Fri May 30, 2003 8:29 pm

lambda wrote:
fawad wrote:To just disable ping requests,

iptables -A INPUT -p icmp --icmp-type echo-request -i $WAN_IFACE -j DROP


blocking pings is generally useless. if you're being flooded off the net, blocking pings won't do any good: your bandwidth is saturated with packets before they get to your machine (and the above rule). all you can do is talk to your upstream about blocking pings for you.

Agreed. However blocking pings has a better purpose. Usually, scipt kiddies do ping scans of address ranges to find machines that are alive (kinda like war dialing). If you block the ping, you stand a better chance of slipping under the radar.
fawad
Site Admin
 
Posts: 918
Joined: Wed Aug 07, 2002 8:00 pm
ICQ: 17672437
Website: http://www.fawad.net
WLM: fawadhalim@hotmail.com
Yahoo Messenger: fawad2048
AOL: fawadhalim
Location: Addison, IL

hi u r exactly rite but still is there any way to save BW

Postby farhanksa » Sat May 31, 2003 7:51 pm

salam
well.its good to block the ping but still is there any way to save the band width which is wsted in case of pinging even thought its blocked and to reply is send..
wt may be the way to save the BW which is wasted during ping..

another thing i am searching is that ..how can i block pop-ups and Adversisements on the web pages.. at ISP?
farhanksa
Subedar
 
Posts: 359
Joined: Sun Nov 03, 2002 6:40 am
ICQ: 116765501
WLM: farhan12@msn.com
Yahoo Messenger: commdsl@yahoo.com
Location: Lahore

Postby lambda » Sun Jun 01, 2003 1:32 am

fawad wrote:Agreed. However blocking pings has a better purpose. Usually, scipt kiddies do ping scans of address ranges to find machines that are alive (kinda like war dialing). If you block the ping, you stand a better chance of slipping under the radar.


scanning a netblock for, say, ssh, immediately points to vulnerable hosts. the same goes for scanning for web servers, or netbios. scanning for icmp doesn't give script kiddies anything useful, other than "there's a machine out there." are you positive that people scan via icmp?

and, really, the only real protection is keeping your services up to date, so they can't be attacked.
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore

Re: hi u r exactly rite but still is there any way to save

Postby lambda » Sun Jun 01, 2003 1:36 am

farhanksa wrote:salam
well.its good to block the ping but still is there any way to save the band width which is wsted in case of pinging even thought its blocked and to reply is send..
wt may be the way to save the BW which is wasted during ping..


no. ask your upstream to rate-limit pings to you. that's the best possible solution.

another thing i am searching is that ..how can i block pop-ups and Adversisements on the web pages.. at ISP?


if you use mozilla as your web browser, you get ad-blocking support. otherwise, run a web proxy that's created specifically for blocking ads/popups. there are several -- google for them. i don't use any, so i can't make any recommendations.
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore


Return to “%s” General

Who is online

Users browsing this forum: No registered users and 2 guests

cron