Linux server icmp security

Question

I have a Linux router, it is connecting to internet via pppoe with dynamic IP

and I would like it NOT to respond to ping (or any other kind of icmp) from outside (internet), BUT I would like that ping (and all icmp, like traceroute, tcptraceroute, mtr, etc.) from inside (LAN) and from server to outside targets to work, how can I do it ?

Answer 1

I'm guessing that by "Linux router" you mean a computer running Linux acting as a router.

Drop icmp traffic from the outside:

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

• -A INPUT: packets destined to local sockets.
• -p icmp: specifies protocol to use, icmp in this case
• --icmp-type echo-request: specifies the type of icmp packets being filtered
• -j DROP: what to do when matching the filter. DROP will just drop them without sending any error message to the host pinging.

You could also use REJECT instead of DROP, which would send an error message.

Allow icmp traffic to the outside:

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT 
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT 

• -A OUTPUT: packets generated locally.
• -p icmp: specifies protocol to use, icmp in this case
• --icmp-type echo-reply: specifies the type of icmp packets being filtered
• -j ACCEPT: what to do when matching the filter. We are accepting replies only

Answer 2

Make sure you've got the icmp extension to iptables available and drop packets with an icmp type of 8 on the external facing interface (--protocol icmp --icmp-type 8)