Block/Unblock Ping ICMP Requests in the Linux System

Linux TLDR
Last Updated:
Reading time: 3 minutes

Ping is the most commonly used command-line utility used by many sysadmins or network engineers to check whether a target machine is up or down in a given network.

We already discussed how this command works in a separate article; click here to read it. For a quick note, it sends ICMP requests to the target machine and waits for a response. Once the response is received, it’s concluded that the target machine is alive on the network.

This tool is supposed to show the status of a target machine on a given network, but many network intruders or hackers (especially newbies) use it to find active systems on the network to attack.

Now, if you’re worried about security, you can stop accepting ping requests (ICMP echo) from any system on the network by following the steps in this article.

Tutorial Details

DescriptionDisable/Enable Ping Response (ICMP Echo) in Linux
Difficulty LevelModerate
Root or Sudo PrivilegesYes
OS CompatibilityUbuntu, Manjaro, Fedora, etc.
Prerequisites
Internet RequiredNo

A Note for Readers

Now, before you go ahead and directly block the ping ICMP requests in your Linux system, you need to consider the following points.

  • Your system is still discoverable even after you block the ICMP protocol via ARP tables.
  • Path MTU discovery and other programs that use this service to find active hosts on the network won’t work right.
  • It doesn’t improve your security by removing the ICMP protocol.
  • The networking experience might get disturbed after disabling the ICMP protocol.

After considering all the points mentioned above, if you still want to disable the ping ICMP requests, then follow the next section.

Temporarily Disable the Ping ICMP Requests in Linux

You can temporarily turn off the ping ICMP requests if you are connected to an unknown (or unsecure) network for a short time.

Open your terminal emulator and execute the following command as a root user to temporarily ignore or reject all the ping ICMP requests:

$ echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all                          #Turn Off ICMP Request

Note that the above command will keep ignoring or rejecting all the ping ICMP requests until your system is restarted or the following command is executed:

$ echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all                          #Turn On ICMP Request

The above are variables in the kernel that you were using to drop all the ping ICMP requests. As these commands require you to be a root user, a normal user with sudo privileges cannot disable the ICMP request.

But if you are a sudo user and you still want to turn off the ping ICMP request, you can execute the following command with sudo permissions.

$ sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1                                   #Turn Off ICMP Request

Similarly to the previous command, it will keep ignoring or rejecting all the ICMP requests until your system is restarted or the following command is executed:

$ sudo sysctl -w net.ipv4.icmp_echo_ignore_all=0                                   #Turn On ICMP Request

That’s all you have to do to temporarily disable the ping ICMP requests on your Linux system.

Permanently Disable the Ping ICMP Requests in Linux

There are two separate ways to permanently disable ICMP requests on your Linux system.

  • Using the kernel parameters
  • Using the Iptables

Let’s see how you can permanently block the ICMP requests by following these two methods. Starting with

1. Blocking Ping ICMP Requests Using the Kernel Parameters in Linux

Edit the “/etc/sysctl.conf” configuration file as root or sudo using your choice of text editor, either Vim or Nano.

$ sudo vim /etc/sysctl.conf

Add the following line at the end of this file:

net.ipv4.icmp_echo_ignore_all=1

Output:

Disable ping ICMP requests using the kernel parameter

Lastly, execute the following command to reload the configuration changes:

$ sudo sysctl -p

Output:

Reloading the configuration changes

Now, if someone on the network tries to send a ping ICMP request, they will get the following response:

Ping the blocked Linux system

If you want to enable the ping ICMP request, then simply remove the line from the configuration file, reload the changes, and restart your system.

2. Blocking Ping ICMP Requests Using the Iptables in Linux

If you have a little knowledge about Linux or networking, then you might have heard of iptables in Linux, which is used as a firewall to manage incoming and outgoing traffic based on a set of rules.

Using the same iptables, you can set your own rules to disable foreign ping ICMP requests made to your system using the following command:

$ sudo iptables -I INPUT -p icmp --icmp-type echo-request -j DROP

Output:

Disable ping ICMP requests using the iptables

Once the above command is executed and a new set of rules are created in your iptables, all the users who try to ping your system will get the following response:

Ping the blocked system

To enable the ping ICMP requests again, simply execute the following command.

$ sudo iptables -I INPUT -p icmp --icmp-type echo-request -j ACCEPT

Wrap Up

Note that the ping ICMP requests can also be blocked via the UFW (Uncomplicated Firewall) or Firewalld in Ubuntu and Red Hat systems, but the above methods will work in both of these systems.

If you want me to include them in the article, then do let me know in the comment section. Also, your questions and queries are welcome.

Till then, peace!

Join The Conversation

Users are always welcome to leave comments about the articles, whether they are questions, comments, constructive criticism, old information, or notices of typos. Please keep in mind that all comments are moderated according to our comment policy.