DistributedNetworks DistributedNetworks

Network Computing   «Prev 

Output of the ping command

This is the prompt from which the ping command was issued.

This line indicates that ping sent test data to from

These lines give information about each test packet received from rs.internic.net ( On the right are times in milliseconds for the round-trip of the test packet.

This section displays some statistics on the ping packets received before the user pressed Ctrl-C. In this case, 0 (zero) percent of five packets were lost. The minimum, average, and maximum round-trip packet times are listed in milliseconds.

Changing ipchains firewall rules

Now let us try adding a rule. As an example, let us imagine we want to block ICMP packets to disallow "pinging" of our Linux box. You may do that to avoid various Denial of Service attacks that could be launched against your system. Block ICMP with a command like the following:
# ipchains -A input -p icmp -j DENY

This specifies that we are adding a rule to the input chain. It will match any ICMP packet and will drop it rather than allowing it through. Now if you are using the ping command against your Linux box, you should receive no response. Type the ipchains -L command again, and you will see something like this:
Chain input (policy ACCEPT):
target prot opt source destination ports
DENY icmp ------ anywhere anywhere any -> any
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):

You can see your new rule listed. This rule will block all ICMP packets entering your system, regardless of which computer sent those packets. If your Linux system is acting as a router, it will also block ICMP packets that are being forwarded from the Internet to your network, or vice versa. People on the Internet will be unable to ping anything on your network. Likewise, you will be unable to ping anything on the Internet. Perhaps that is not what you want. Let us assume then that you wish to block pinging of systems on your network by people on the Internet, but allow pinging of the router and allow the router to ping hosts on the Internet. First, we should flush the contents of the input chains using the -F parameter; then we can add our new rule.
# ipchains -F input
# ipchains -A forward -p icmp -j DENY

Now we can ping the Linux system and the Linux system can ping other boxes, but ping requests will not be passed through the Linux system. If you wish, use the ipchains -L command to verify that the rule has now been added to the forward chain rather than the input chain. You may also wish to block the telnet protocol when coming from the Internet. For this example, let us assume that our Linux router is connected to the Internet via a dialup connection called ppp0 and is connected to our internal LAN via an Ethernet connection called eth0. In that case, you could block telnet with a command like the following:
# ipchains -A input -i ppp0 -p tcp --dport 23 -j DENY

This rule basically says that any TCP packet with a destination port of 23 (the telnet port as specified in /etc/services) that is arriving on the ppp0 interface should be dropped. This does not prevent you from telneting to your Linux box from your internal network, but it does block telnet access from the Internet.