Ping is a network utility used to check the availability of a system on an internet protocol network using the ICMP echo request and echo reply messages.
However, some network administrator prefers blocking ping as they consider it a security issue for some reasons.
Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform Debian related queries.
In this context, we shall look into how to block or unblock ping requests on Debian.
Previously, we have explained how to block or unblock ping request on Ubuntu 20.04 .
Ping sends an ICMP echo request towards the target system and then obtains an ICMP echo reply.
In Linux OS, when you ping an IP address, it continues to send ICMP packets until you press Ctrl+C to stop it.
To send a specific number of packets, use the ping with -c option.
For instance, to send 3 ICMP packets, you can use the following command:
$ ping -c 3 <ip-address or hostname>
To block ping requests to the Debian system, there are the following two options:
i. Through kernel parameters
ii. Through iptables
Now let's have a look at both options for blocking the ping requests on Debian system.
Ping requests can be blocked/unblocked by modifying the kernel parameter net.ipv4.icmp_echo_ignore_all.
This parameter controls whether the system should respond to ping requests or not.
The default value of kernel parameter net.ipv4.icmp_echo_ignore_all is "0" which means to allow all the ping requests.
By modifying the value of this kernel parameter, you can make the system block the ping requests.
There are three different ways to modify the kernel parameters:
i. Through "sysctl" command
ii. Through "icmp_echo_ignore_all" file
iii. Through "/etc/sysctl.conf" file
To find whether the system is currently blocking or allowing the ping requests, issue the following command in Terminal:
$ sudo sysctl -ar 'icmp_echo'
The value of "icmp_echo_ignore_all" equals to "0" means ping is unblocked while value "1" means ping is unblocked.
If you need to temporarily block the ping requests to your system, you can use the sysctl command as follows:
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1
After running the above command, the machine will start blocking the ping requests coming to it.
Now if another system tries to ping your system, it will see no response.
However, as stated before, this change will be temporary.
As soon as you reboot the system, the kernel parameter value will revert to its original value and ping will be unblocked again.
You can also unblock ping using the below command:
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_all=0
The /proc/sys/net/ipv4/ directory contains a file icmp_echo_ignore_all which controls whether the system should respond to ping requests or not.
To block ping requests, you will need to change the value in the icmp_echo_ignore_all file form "0" to "1".
You can do this using the below command:
$ sudo sh -c 'echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all'
However, this change will be temporary.
As soon as you reboot the system, the kernel parameter value will revert to its original value and ping will be unblocked again.
You can also unblock ping using the below command:
$ sudo sh -c 'echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all'
Ping requests can also be permanently blocked using the /etc/sysctl.conf file. In order to permanently block ping requests, first edit the /etc/sysctl.conf file using the following command:
$ sudo nano /etc/sysctl.conf
Now in the edited file, add the following line:
net.ipv4.icmp_echo_ignore_all = 1
Now save and close the /etc/sysctl.conf file and run the following command to apply the changes:
$ sysctl -p
To unblock ping, edit the /etc/sysctl.conf file and change the value of net.ipv4.icmp_echo_ignore_all back to 0:
net.ipv4.icmp_echo_ignore_all = 0
Iptables is a command-line utility in Linux that allows/blocks traffic based on a set of rules. The Debian distribution by default includes iptables utility.
However, if your system does not have this utility, you can install it as follows:
$ sudo apt-get install iptables
Now issue the below command in Terminal to block ping requests:
$ sudo iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
In the above command, the A option is used for appending a rule in iptables and icmp-type 8 is used for ICMP echo requests.
This command adds a rule in the firewall in order to block all incoming pings to your system. After adding this rule, the system will reject all the ping requests coming to it.
Now if another system tries to ping your system, it will receive the "Destination Port Unreachable" message.
If you do not want the sending user to see the Destination Port Unreachable message, use DROP instead of REJECT in the above command as follows:
$ sudo iptables -A INPUT -p icmp --icmp-type 8 -j DROP
Now if a user pings to your system, it will receive no response.
To unblock ping, use the below command:
$ sudo iptables -D INPUT -p icmp --icmp-type 8 -j REJECT
Or the below command if you have used the DROP option in iptables rule:
$ sudo iptables -D INPUT -p icmp --icmp-type 8 -j DROP
In the above command, D option is used for deleting a rule in iptables and icmp-type 8 is used for ICMP echo requests.
To list the rules in your iptables, use the following command:
$ sudo iptables -L
The iptables rules we have added above will not survive a system reboot.
To make them survive a reboot, you will have to install the iptables-persistent package.
Run the following command to install it:
$ sudo apt install iptables-persistent
After each rule you add or delete in iptables, run the following commands to make these rules persistent after reboot:
$ sudo netfilter-persistent save
$ sudo netfilter-persistent reload
This article covers how you can block/unblock ping requests to your Debian system. You will learn different ways for blocking/unblocking ping requests either temporarily or permanently.
The --query-icmp-block=<type> option can be used to determine if a type is confgured to allow or deny.
The --add-icmp-block=<type> option can be used to block a certain type.
The --remove-icmp-block=<type> option can be used to not block a certain type.
After adding or removing a block, reload the firewall.
To block ping requests in Linux:
1. Edit /etc/sysctl.conf. Add the following line to your /etc/sysctl.conf : net.ipv4.icmp_echo_ignore_all=1. Then: sysctl -p.
2. Using iptables: iptables -I INPUT -p icmp --icmp-type echo-request -j DROP.
3. With cron. Run crontab -e as root, then add the following line: @reboot echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all.
To block ping in iptables:
1. Add a rule that tells the iptables firewall to block ping in and out of a server by controlling the ICMP requests.
2. Remove the rule that tells the iptables firewall to allow ping in and out of a server by controlling the ICMP requests.
To enable ping on Linux server?
# iptables -D INPUT -p icmp --icmp-type echo-request -j REJECT D :
This command switch is used to delete the rule. Once the ping enabled, the server should now respond to ping requests