Is it possible to write a rule that doesn't even allow your machine to be pinged by the outside world? So that the machine doesn't even appear to exist on the WWW?
Yeah just drop or deny all traffic on the input chain, this wont stop you getting anything, but if you use drop (iirc) then you can't be seen from the net.
If you just want to stop people pinging you then you'll need to drop/deny icmp packets, but I've compleatly forgoten what port that is sorry. (This won't stop people finding youother ways, nmap for example)
hth
if you only want to disable pinging you can do
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
This is my personal favorite:
The first rule only accepts a limited number of pings (1 per minute, with a burst of about 10 I believe (default)), the second rule drops all pings that exceed this, and then I accept all other types of ICMP traffic (which is important to have).Code:iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/m -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -j DROP iptables -A INPUT -p icmp -j ACCEPT
This is good because it allows you to ping your own box remotely for diagnostic reasons, but prevents people from pingbombing you
Posting Permissions
Reply With Quote
Bookmarks