iptables drop all incoming ICMP requests except from one IP
Solution 1
You need to run your rules in the opposite order. Iptables is sensitive to the order that commands were run. If a rule matches, it doesn't go on to check more rules, it just obeys that one. If you set the drop first, the accept rule will never get tested. By setting the specific accept with the source IP, then setting the more general policy to drop you will affect the expected behavior.
iptables -A INPUT -s x.x.x.x -p ICMP --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP --icmp-type 8 -j DROP
As for the hang problem you seem to be having, are you sure you entered a valid IP address? Perhaps you can prefix that command with strace iptables … to see what it's doing while it appears to hang.
Solution 2
Do not drop ICMP willy-nilly! Sure, some of the ICMP requests are dangerous, but the rest is absolutely required for the network to work (think "destination unreachable" and that zoo).
Related videos on Youtube
01 : 33
08 : 09
11 : 25
02 : 39
09 : 29
Deepak Yadav
Updated on September 18, 2022Comments
-
Deepak Yadav over 1 year
Currently, I have something like:
iptables -A INPUT -p ICMP --icmp-type 8 -j DROP iptables -A INPUT -s x.x.x.x -p ICMP --icmp-type 8 -j ACCEPTHowever, when I run the second command, it looks as if iptables just stops. I have to break out of it to get back to terminal. Perhaps I am doing it all wrong, but some insight would be helpful.
-
phemmer almost 13 yearsYou also need to flip it so that the the ACCEPT is first, or change
-Ato-I -
Deepak Yadav almost 13 years@Patrick when I do that, it seems as if it quits out at the start and doesn't write the rule.
-
xenoterracide almost 13 yearsyour first rule will have to come last if you look at
iptables -L -nvand check out the counters when you're testing your rules you'll find out it's probably incrementing dropping the packets never reaching your other rule.
-
-
Deepak Yadav almost 13 yearsI just tried that, and it did the same thing -- to no avail.
-
Luciano Facchinelli almost 13 yearsyou run those command in that order??? Rules in iptables , As far as i concern, are execute from botton to top
-
tcoolspy almost 13 yearsThis is just an alternate syntax for the rule the OP was already running.
-
Deepak Yadav almost 13 yearsThanks for the great explanation. Looks like this was happening with another ruleset also, causing it to hang!
-
Natalie Adams almost 10 yearsICMP is not required for a network to function.
-
Stefan Skoglund over 4 yearsicmp filtering breaks MTU discovery soo good luck trying to use jumbo frames without functioning icmp !
