Ping is a network utility used to check the availability of a system on an internet protocol network using the ICMP echo request and echo reply messages. However, some network administrator prefers blocking ping as they consider it a security issue for some reasons. In an earlier post, we have explained how to block or unblock ping request on Ubuntu 20.04. This post will be about how to block or unblock ping requests on Debian.
Prerequisites
- Debian OS
- Sudo user
Note: The procedure explained here have been tested on Debian 10 (Buster) system.
Block or Unblock Ping Requests on Debian
Ping sends an ICMP echo request towards the target system and then obtains an ICMP echo reply. In Linux OS, when you ping an IP address, it continues to send ICMP packets until you press Ctrl+C to stop it. To send a specific number of packets, use the ping with -c option. For instance, to send 3 ICMP packets, you can use the following command:
$ ping -c 3 <ip-address or hostname>
To block ping requests to the Debian system, there are the following two options:
- Through kernel parameters
- Through iptables
We are going to explain both options for blocking the ping requests on Debian system.
Block or Unblock Ping Requests through Kernel Parameters
Ping requests can be blocked/unblocked by modifying the kernel parameter net.ipv4.icmp_echo_ignore_all. This parameter controls whether the system should respond to ping requests or not. The default value of kernel parameter net.ipv4.icmp_echo_ignore_all is “0” which means to allow all the ping requests. By modifying the value of this kernel parameter, you can make the system block the ping requests.
There are three different ways to modify the kernel parameters:
- Through “sysctl” command
- Through “icmp_echo_ignore_all” file
- Through “/etc/sysctl.conf” file
To find whether the system is currently blocking or allowing the ping requests, issue the following command in Terminal:
$ sudo sysctl -ar ‘icmp_echo’
The value of “icmp_echo_ignore_all” equals to “0” means ping is unblocked while value“1” means ping is unblocked. The following output shows ping is currently unblocked in our system.
Block or Unblock Ping Requests through “sysctl” Command (Temporarily)
If you need to temporarily block the ping requests to your system, you can use the sysctl command as follows:
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1
After running the above command, the machine will start blocking the ping requests coming to it. Now if another system tries to ping your system, it will see no response as shown in the following output.
However, as stated before, this change will be temporary. As soon as you reboot the system, the kernel parameter value will revert to its original value and ping will be unblocked again.
You can also unblock ping using the below command:
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_all=0
Block or Unblock Ping Requests through icmp_echo_ignore_all File (Temporarily)
The /proc/sys/net/ipv4/ directory contains a file icmp_echo_ignore_all which controls whether the system should respond to ping requests or not.
To block ping requests, you will need to change the value in the icmp_echo_ignore_all file form “0” to “1”. You can do this using the below command:
$ sudo sh -c ‘echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all’
However, this change will be temporary. As soon as you reboot the system, the kernel parameter value will revert to its original value and ping will be unblocked again.
You can also unblock ping using the below command:
$ sudo sh -c ‘echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all’
Block or unblock Ping Requests through “/etc/sysctl.conf” File (Permanently)
Ping requests can also be permanently blocked using the /etc/sysctl.conf file. In order to permanently block ping requests, first edit the /etc/sysctl.conf file using the following command:
$ sudo nano /etc/sysctl.conf
Now in the edited file, add the following line:
net.ipv4.icmp_echo_ignore_all = 1
Now save and close the /etc/sysctl.conf file and run the following command to apply the changes:
$ sysctl -p
To unblock ping, edit the /etc/sysctl.conf file and change the value of net.ipv4.icmp_echo_ignore_all back to 0:
net.ipv4.icmp_echo_ignore_all = 0
Block or Unblock Ping Requests Using iptables (Permanently)
Iptables is a command-line utility in Linux that allows/blocks traffic based on a set of rules. The Debian distribution by default includes iptables utility. However, if your system does not have this utility, you can install it as follows:
$ sudo apt-get install iptables
Now issue the below command in Terminal to block ping requests:
$ sudo iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
In the above command, the A option is used for appending a rule in iptables and icmp-type 8 is used for ICMP echo requests. This command adds a rule in the firewall in order to block all incoming pings to your system. After adding this rule, the system will reject all the ping requests coming to it. Now if another system tries to ping your system, it will receive the “Destination Port Unreachable” message.
If you do not want the sending user to see the Destination Port Unreachable message, use DROP instead of REJECT in the above command as follows:
$ sudo iptables -A INPUT -p icmp --icmp-type 8 -j DROP
Now if a user pings to your system, it will receive no response:
To unblock ping, use the below command:
$ sudo iptables -D INPUT -p icmp --icmp-type 8 -j REJECT
Or the below command if you have used the DROP option in iptables rule:
$ sudo iptables -D INPUT -p icmp --icmp-type 8 -j DROP
In the above command, D option is used for deleting a rule in iptables and icmp-type 8 is used for ICMP echo requests.
To list the rules in your iptables, use the following command:
$ sudo iptables -L
The iptables rules we have added above will not survive a system reboot. To make them survive a reboot, you will have to install the iptables-persistent package. Run the following command to install it:
$ sudo apt install iptables-persistent
After each rule you add or delete in iptables, run the following commands to make these rules persistent after reboot:
$ sudo netfilter-persistent save
$ sudo netfilter-persistent reload
This is how you can block/unblock ping requests to your Debian system. In this post, you have learned different ways for blocking/unblocking ping requests either temporarily or permanently. If you know of some other ways to block/unblock ping that we have missed, we would love to know in the comments below!