Articles

Allow and Block ICMP Ping with iptables (2026)

April 18, 2026 6 min read

iptables can block ICMP echo requests (pings) by dropping packets destined for the server.

# Block all incoming ICMP echo requests
sudo iptables -A INPUT -p icmp --icmp-type 8 -j DROP

# Allow all incoming ICMP echo requests
sudo iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

Let’s dive into how this works and the nuances.

The "Why" Behind Blocking Pings

While ping (ICMP echo request) is often used for network diagnostics, it can also be a reconnaissance tool for attackers. By seeing if a server responds to pings, an attacker can confirm a host is alive before attempting more sophisticated attacks. Blocking pings can add a small layer of obscurity, making your server slightly less visible on the network. However, it’s crucial to understand that this is not a security panacea; determined attackers will find other ways to probe your network.

How ICMP Echo Requests Work

When you ping a server, your machine sends an ICMP "echo request" packet to the target IP address. The target server, if configured to respond, sends back an ICMP "echo reply" packet. This exchange confirms network connectivity.

The iptables Mechanism

iptables is a powerful command-line utility used to configure the Linux kernel firewall. It operates by inspecting packets and deciding whether to ACCEPT, DROP, REJECT, or MASQUERADE them based on a set of rules.

  • INPUT chain: This chain handles packets destined for the local machine itself.
  • -p icmp: This matches packets using the Internet Control Message Protocol.
  • --icmp-type 8: This specifically matches ICMP packets with type 8, which signifies an "echo request."
  • -j DROP: This target silently discards the packet. The sender receives no notification that the packet was dropped.
  • -j ACCEPT: This target allows the packet to proceed to its intended destination (in this case, the server’s network stack to be processed as a valid ping response).

Blocking Pings: The Rule

To block incoming pings, you add a rule to the INPUT chain that matches ICMP echo requests and tells iptables to DROP them.

sudo iptables -A INPUT -p icmp --icmp-type 8 -j DROP

Diagnosis Command: To see if this rule is active, you can list your current iptables rules:

sudo iptables -L INPUT -v -n

You’re looking for a line that resembles:

0     0 DROP       icmp --  any    any     anywhere             anywhere             icmptype 8

The 0 0 indicates packet and byte counts, which will increase as pings are blocked.

Why it Works: When an ICMP echo request packet arrives, iptables checks the INPUT chain. It finds the rule specifying icmp with type 8. Because the packet matches, iptables executes the DROP target, effectively deleting the packet before it even reaches the ping utility on the server. The sender sees a timeout because no reply ever comes back.

Allowing Pings: The Rule

If you’ve previously blocked pings and want to allow them again, you need to add a rule to ACCEPT them. The order of rules matters significantly in iptables. If you have a DROP rule before an ACCEPT rule for the same traffic, the DROP rule will always take precedence.

sudo iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

Diagnosis Command: Again, use iptables -L INPUT -v -n to inspect. You’d look for:

0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmptype 8

Why it Works: With this rule in place (and ideally before any general DROP rule for ICMP, or if the DROP rule is removed), an incoming ICMP echo request will match this ACCEPT rule. The packet is allowed through to the server, which will then generate and send back an ICMP echo reply.

Important Considerations and Nuances

  1. Rule Order: If you have a rule like sudo iptables -P INPUT DROP (which sets the default policy for the INPUT chain to DROP) or a general DROP rule for all ICMP like sudo iptables -A INPUT -p icmp -j DROP, you must place your ACCEPT rule before the DROP rule. Otherwise, the DROP rule will catch the packet first.

    • To block:
      # First, ensure no broad ACCEPT rule exists for ICMP that would override
# Then, add the specific DROP rule
sudo iptables -A INPUT -p icmp --icmp-type 8 -j DROP
    • To allow (after blocking):
      # Remove the blocking rule first
sudo iptables -D INPUT -p icmp --icmp-type 8 -j DROP
# Then add the allowing rule
sudo iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
      Or, if you need to insert it at a specific position (e.g., position 1):
      # Assuming you want it as the first rule
sudo iptables -I INPUT 1 -p icmp --icmp-type 8 -j ACCEPT

  2. Other ICMP Types: There are many other ICMP types (e.g., type 3 for destination unreachable, type 11 for time exceeded). Blocking all ICMP can break essential network diagnostics (like traceroute, which relies on ICMP time-exceeded messages) and even some routing protocols. Be specific with --icmp-type 8 if you only want to block pings. If you want to block all ICMP, you’d use -p icmp -j DROP.

  3. Stateful Firewalls: Modern firewalls, including iptables with the conntrack module, are stateful. This means they track the state of connections. If you allow outgoing ICMP echo requests (e.g., to ping external sites), the return ACCEPT rule for incoming echo replies is often handled automatically by the state tracking. The rule sudo iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT (for echo replies) might be implicitly handled if your INPUT chain has sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT at the top. However, for directly controlling incoming echo requests, the rule targeting --icmp-type 8 is explicit and necessary.

  4. Persistence: iptables rules are volatile by default. They are lost on reboot. To make them permanent, you need to use tools like iptables-persistent (Debian/Ubuntu) or iptables-services (RHEL/CentOS).

    • Debian/Ubuntu:
      sudo apt-get update
sudo apt-get install iptables-persistent
sudo netfilter-persistent save
    • RHEL/CentOS:
      sudo yum install iptables-services
sudo systemctl enable iptables
sudo service iptables save

  5. IPv6: The rules above are for IPv4. For IPv6, you use ip6tables with identical syntax:

    sudo ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
sudo ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT

By carefully crafting iptables rules, you can precisely control ICMP traffic, including whether your server responds to pings. Remember to always test your rules to ensure they have the desired effect and don’t inadvertently block necessary network traffic.

The next common iptables configuration challenge you’ll likely face is managing connection states for established and related traffic.

Want structured learning?

Take the full Iptables course →