How to Block Ping ICMP Requests to Linux Systems

Some system administrators often block ICMP messages to their servers in order to hide the Linux boxes to outside world on rough networks or to prevent some kind of IP flooding and denial of service attacks.

The most simple method to block ping command on Linux systems is by adding an iptables rule, as shown in the below example. Iptables is a part of Linux kernel netfilter and, usually, is installed by default in most Linux environments.

# iptables -A INPUT --proto icmp -j DROP
# iptables -L -n -v  [List Iptables Rules]

Another general method of blocking ICMP messages in your Linux system is to add the below kernel variable that will drop all ping packets.

# echo “1” > /proc/sys/net/ipv4/icmp_echo_ignore_all

In order to make the above rule permanent, append following line to /etc/sysctl.conf file and, subsequently, apply the rule with sysctl command.

# echo “net.ipv4.icmp_echo_ignore_all = 1” >> /etc/sysctl.conf 
# sysctl -p

In Debian-based Linux distributions that ship with UFW application firewall, you can block ICMP messages by adding the following rule to /etc/ufw/before.rules file, as illustrated in the below excerpt.

-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
Block Ping ICMP Request in UFW Firewall

Block Ping ICMP Request in UFW Firewall

Restart UFW firewall to apply the rule, by issuing the below commands.

# ufw disable && ufw enable

In CentOS or Red Hat Enterprise Linux distribution that use Firewalld interface to manage iptables rules, add the below rule to drop ping messages.

# firewall-cmd --zone=public --remove-icmp-block={echo-request,echo-reply,timestamp-reply,timestamp-request} --permanent	
# firewall-cmd --reload

In order to test if the firewall rules had been successfully applied in all the cases discussed above, try to ping your Linux machine IP address from a remote system. In case ICMP messages are blocked to your Linux box, you should get a “Request timed out” or “Destination Host unreachable” messages on the remote machine.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Matei Cezar

I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide
The Complete Linux System Administrator Bundle
Become an Ethical Hacker Bonus Bundle

You may also like...

5 Responses

  1. Matei Cezar says:

    The guide just shows how you can disable ICMP for certain cases, but not implies that you must disable it.

  2. Anders Lowinger says:

    This is just a BAD recommendation. You should not block ICMP, it disables Path MTU discovery which gives poor performance for people on links with less than 1500 bytes MTU. PPPoE is one such link.

    If you want to filter, rate limit ICMP to 10 packets/sek or similar.

  3. Out says:

    What the stupid thing to remove icmp protocol. This move not security improve, but networking maybe slow down (to this host).

  4. Jonix says:

    Also, before adding the solution in /etc/sysctl.conf, check that file for eventual other places the definitions are/is set (on my system it was in /usr/lib/sysctl.d/50-default.conf )

  5. Jonix says:

    If you just want to block ICMP-“scans” (ICMP redirect, ping the whole network), the file solution could be good to do with the file /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts.

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.