A while ago a post appeared on a firewalled machine not responding to
ping. Normally, ping reply is turned off. I had suggested turning it on.
Dr Sriram suggested it may not be appropriate without restricting the
port/socket for ICMP to respond to ping. Normally ping reply is turned
off to prevent DoS, smurfing etc.
Iptables supports stateful inspection and rate limiting which would
allow us to respond to these requests but still limit the damage they
could do using DoS techniques. The icmp protocol match provides an icmp
type and state match.
In iptables parlance, there are only four types of icmp that can be
categorized as NEW, or ESTABLISHED:
1) Echo request (ping, 8) and echo reply (pong, 0).
2) Timestamp request (13)and reply (14).
3) Information request (15) and reply (16).
4) Address mask request (17) and reply (18).
The request in each case is classified as NEW and the reply as
Other types of icmp are not request-reply based and can only be RELATED
to other connections.
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j
1) An icmp echo request is NEW and so is allowed in the OUTPUT chain.
2) An icmp echo reply, provided it is in response to an echo request, is
ESTABLISHED and so is allowed in the INPUT chain. An echo reply cannot
be allowed in the OUTPUT chain for the rules above because there is no
NEW in the INPUT chain to allow echo requests and a reply has to be in
response to a request.
3) An icmp redirect, because it is not request-reply based, is RELATED
and so can be allowed in both the INPUT and the OUTPUT chains provided
there is already a tcp or udp connection in the state table already that
it can be matched against.
In order to limit rates, the limit extension can be used along with
icmp-type as under.
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit
1/s -j ACCEPT