2 Ways to Disable or Block Ping in Linux

Ping is used to check if the machine is up and is connected to the network and working well on that particular network.

The basic methodology here is that a network packet is sent to the machine if the machine is up it will answer with a response.

If the machine is down and not on the network we will not get any answer from the given ping.

In this article, we will see how to block the PING requests in Linux

The following Linux commands can be used to block ping.

sudo echo “1” > /proc/sys/net/ipv4/icmp_echo_ignore_all
sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1 && sysctl -p
sudo iptables -A INPUT -p icmp –icmp-type echo-request -j REJECT
sudo iptables -A INPUT -p icmp –icmp-type echo-request -j DROP
sudo iptables -A OUTPUT -p icmp –icmp-type echo-reply -j DROP

Table of Contents

What is ICMP?

ICMP is short for Internet Control Message Protocol. It is a network layer protocol used by network devices to diagnose network communication issues.

Ping is one of the most basic network debugging tools. It sends ICMP echo request packets to a host. If the host gets the packet and feels nice enough, it sends an ICMP echo-response packet in return.

Understanding Ping

Ping is a tool commonly used to find the status of a device on a network. Ping is based on the ICMP protocol. When a Ping process request is sent out as an ICMP echo to the target device, it replies with an ICMP echo reply if the device is available.

ping is used to send a test packet, or echo packet, to a device to find out whether it is reachable and how long the packet takes to reach the device. There are two important purposes.

test the network availability to device
network latency between two devices

Understanding ICMP Type

ICMP type is the first 8 bits in the ICMP message header. It provides a brief explanation of what the message is for so the receiving network device knows why it is getting the message and how to treat it.

For example, a Type 8 Echo is a query a host sends to see if a potential destination system is available. Upon receiving an Echo message, the receiving device might send back an Echo Reply (Type 0), indicating it is available.

Block PING requests via kernel parameters in Linux

The best way to permanently block ping in Linux, we can run the following commands.

Edit /etc/sysctl.conf
Add the this line net.ipv4.icmp_echo_ignore_all=1 to file /etc/sysctl.conf
sysctl -p

net.ipv4.icmp_echo_ignore_all is the parameter that controls the system to respond against the incoming ICMP request. 0 means yes while 1 means no response to the request. Here, 1 implies all requests will be ignored or rejected.

Here are two ways to block ping request temporarily.

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

$ sysctl -w net.ipv4.icmp_echo_ignore_all=1

We can run the following command to check if the ping request is enabled or not.

cat /proc/sys/net/ipv4/icmp_echo_ignore_all

To verify if PING requests are being blocked, you can use the ping command with the -c option to specify the number of packets to send. For example:

ping -c 4 example.com

This will send 4 ICMP echo requests to the domain example.com. If PING requests are being blocked, you should see output similar to the following:

PING example.com (93.184.216.34) 56(84) bytes of data. --- example.com ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3056ms

Notice that in the output, the number of packets transmitted is 4, but the number of packets received is 0, indicating that the requests were blocked.

Blocking PING requests with iptables in Linux

The iptables is the Linux command line firewall which allows us to manage incoming and outgoing traffic based on a set of rules. The following rules are used to disable ping to and from the server normally.

# sudo iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT

Request timeout for icmp_seq 9 92 bytes from 10.252.9.61: Destination Port Unreachable Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 6fe4 0 0000 2f 01 97cb 10.79.101.114 10.252.9.61

A : This command switch is used to add the rule.

Or else, use the below rules in order to disable ping without printing an error message.

# sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

# sudo iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP

List the rules added in iptables using the below command.

# iptables -L

Before you run those commands above, you need to make sure the iptables service is running.

To check the status of the iptables service in Linux, you can use the following command:

sudo systemctl status iptables

This will display the current status of the iptables service, including whether it is running or not, any recent logs, and any errors or warnings that may have occurred.

The status is active which means iptables is running in the following example.

# systemctl status iptables ● iptables.service - IPv4 firewall with iptables Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor pr> Active: active (exited) since Sun 2023-04-02 06:51:01 GMT; 2s ago Process: 696606 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exite> Process: 697552 ExecStart=/usr/libexec/iptables/iptables.init start (code=exi> Main PID: 697552 (code=exited, status=0/SUCCESS)

Alternatively, you can use the iptables command itself to check the current firewall rules. For example, to list all currently configured rules, you can use the following command:

sudo iptables -L

This will display a list of all configured firewall rules, including any rules that may be blocking or allowing ICMP traffic (such as PING requests).

If iptables isn’t running when you run the iptables -L command, you’ll see what looks like empty tables.

# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination