IPtables icmp模块

icmp模块

---

• icmp横块∶可以控制其他主机无法ping同本机，但本机可以ping同其他主机
• 默认情况当禁止ping后，其他主机无法ping通本主机，本主机也无法ping通其他主机，现需要本主机可以ping通其他主机，而其他主机依然无法ping同本主机.

--icmp-type {type[/code] I typename}

指定ICMP类型，echo-request（8请求）、echo-reply（O回应）

[root@localhost ~]# iptables -t filter -I INPUT -p icmp  -j DROP 
[root@localhost ~]# ping www.baidu.com
PING www.a.shifen.com (180.101.49.11) 56(84) bytes of data.
^C
--- www.a.shifen.com ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1004ms

对方ping不通我，但是我为什么不能够去ping通别人呢？我去ping它的时候通过output出去了，它在返回的得从input链进来，input进来一匹配就是icmp被拒绝了，所以别人ping不通我，我也ping不通别人。

但是我希望别人ping不通我，我可以ping通别人。

ping的过程当中会发送请求，然后对端回复响应，请求类型为request，响应类型为reply。

[root@localhost ~]# tcpdump -i eno16777736 -p icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno16777736, link-type EN10MB (Ethernet), capture size 262144 bytes
13:59:02.522658 IP 192.168.111.134 > 180.101.49.11: ICMP echo request, id 12104, seq 1, length 64
13:59:02.536373 IP 180.101.49.11 > 192.168.111.134: ICMP echo reply, id 12104, seq 1, length 64
13:59:03.536333 IP 192.168.111.134 > 180.101.49.11: ICMP echo request, id 12104, seq 2, length 64
13:59:03.553146 IP 180.101.49.11 > 192.168.111.134: ICMP echo reply, id 12104, seq 2, length 64

[root@localhost ~]# ping www.baidu.com
PING www.a.shifen.com (180.101.49.11) 56(84) bytes of data.
64 bytes from 180.101.49.11: icmp_seq=1 ttl=128 time=13.7 ms
64 bytes from 180.101.49.11: icmp_seq=2 ttl=128 time=16.8 ms
^C
--- www.a.shifen.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1013ms
rtt min/avg/max/mdev = 13.766/15.330/16.895/1.569 ms

我们只拒绝request，不拒绝reply的。

[root@localhost ~]# iptables -t filter -I INPUT -p icmp --icmp-type "echo-request" -j REJECT 
[root@localhost ~]# ping www.baidu.com
PING www.a.shifen.com (180.101.49.12) 56(84) bytes of data.
64 bytes from 180.101.49.12: icmp_seq=1 ttl=128 time=16.6 ms
^C
--- www.a.shifen.com ping statistics ---
2 packets transmitted, 1 received, 50% packet loss, time 1006ms
rtt min/avg/max/mdev = 16.636/16.636/16.636/0.000 ms

回应的是reply，reply进入input链不符合上面的需求，因为只过滤request的，往下走没有匹配的规则那就走input的默认策略就是accept，就是通过的。