×

Ping is a network utility used to check the availability of a system on an internet protocol network using the ICMP echo request and echo reply messages. 

However, some network administrator prefers blocking ping as they consider it a security issue for some reasons.

Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform Debian related queries.

In this context, we shall look into how to block or unblock ping requests on Debian.

Previously, we have explained how to block or unblock ping request on Ubuntu 20.04 .


How to Block or Unblock Ping Requests on Debian ?

Ping sends an ICMP echo request towards the target system and then obtains an ICMP echo reply. 

In Linux OS, when you ping an IP address, it continues to send ICMP packets until you press Ctrl+C to stop it. 

To send a specific number of packets, use the ping with -c option.

For instance, to send 3 ICMP packets, you can use the following command:

$ ping -c 3 <ip-address or hostname>

To block ping requests to the Debian system, there are the following two options:

i. Through kernel parameters

ii. Through iptables


Now let's have a look at both options for blocking the ping requests on Debian system.


How to Block or Unblock Ping Requests through Kernel Parameters ?

Ping requests can be blocked/unblocked by modifying the kernel parameter net.ipv4.icmp_echo_ignore_all

This parameter controls whether the system should respond to ping requests or not. 

The default value of kernel parameter net.ipv4.icmp_echo_ignore_all is "0" which means to allow all the ping requests.

By modifying the value of this kernel parameter, you can make the system block the ping requests.


There are three different ways to modify the kernel parameters:

i. Through "sysctl" command

ii. Through "icmp_echo_ignore_all" file

iii. Through "/etc/sysctl.conf" file


To find whether the system is currently blocking or allowing the ping requests, issue the following command in Terminal:

$ sudo sysctl -ar 'icmp_echo'

The value of "icmp_echo_ignore_all" equals to "0" means ping is unblocked while value "1" means ping is unblocked. 


How to Block or Unblock Ping Requests through "sysctl" Command (Temporarily) ?

If you need to temporarily block the ping requests to your system, you can use the sysctl command as follows:

$ sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1

After running the above command, the machine will start blocking the ping requests coming to it. 

Now if another system tries to ping your system, it will see no response.

However, as stated before, this change will be temporary. 

As soon as you reboot the system, the kernel parameter value will revert to its original value and ping will be unblocked again.

You can also unblock ping using the below command:

$ sudo sysctl -w net.ipv4.icmp_echo_ignore_all=0


How to Block or Unblock Ping Requests through icmp_echo_ignore_all File (Temporarily) ?

The /proc/sys/net/ipv4/ directory contains a file icmp_echo_ignore_all which controls whether the system should respond to ping requests or not.

To block ping requests, you will need to change the value in the icmp_echo_ignore_all file form "0" to "1". 

You can do this using the below command:

$ sudo sh -c 'echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all'

However, this change will be temporary. 

As soon as you reboot the system, the kernel parameter value will revert to its original value and ping will be unblocked again.

You can also unblock ping using the below command:

$ sudo sh -c 'echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all'


How to Block or unblock Ping Requests through "/etc/sysctl.conf" File (Permanently) ?

Ping requests can also be permanently blocked using the /etc/sysctl.conf file. In order to permanently block ping requests, first edit the /etc/sysctl.conf file using the following command:

$ sudo nano /etc/sysctl.conf

Now in the edited file, add the following line:

net.ipv4.icmp_echo_ignore_all = 1

Now save and close the /etc/sysctl.conf file and run the following command to apply the changes:

$ sysctl -p

To unblock ping, edit the /etc/sysctl.conf file and change the value of net.ipv4.icmp_echo_ignore_all back to 0:

net.ipv4.icmp_echo_ignore_all = 0


How to Block or Unblock Ping Requests Using iptables (Permanently) ?

Iptables is a command-line utility in Linux that allows/blocks traffic based on a set of rules. The Debian distribution by default includes iptables utility. 

However, if your system does not have this utility, you can install it as follows:

$ sudo apt-get install iptables

Now issue the below command in Terminal to block ping requests:

$ sudo iptables -A INPUT -p icmp --icmp-type 8 -j REJECT

In the above command, the A option is used for appending a rule in iptables and icmp-type 8 is used for ICMP echo requests. 

This command adds a rule in the firewall in order to block all incoming pings to your system. After adding this rule, the system will reject all the ping requests coming to it. 

Now if another system tries to ping your system, it will receive the "Destination Port Unreachable" message.


If you do not want the sending user to see the Destination Port Unreachable message, use DROP instead of REJECT in the above command as follows:

$ sudo iptables -A INPUT -p icmp --icmp-type 8 -j DROP

Now if a user pings to your system, it will receive no response.


To unblock ping, use the below command:

$ sudo iptables -D INPUT -p icmp --icmp-type 8 -j REJECT

Or the below command if you have used the DROP option in iptables rule:

$ sudo iptables -D INPUT -p icmp --icmp-type 8 -j DROP

In the above command, D option is used for deleting a rule in iptables and icmp-type 8 is used for ICMP echo requests.


To list the rules in your iptables, use the following command:

$ sudo iptables -L

The iptables rules we have added above will not survive a system reboot.

To make them survive a reboot, you will have to install the iptables-persistent package. 

Run the following command to install it:

$ sudo apt install iptables-persistent

After each rule you add or delete in iptables, run the following commands to make these rules persistent after reboot:

$ sudo netfilter-persistent save
$ sudo netfilter-persistent reload


[Need urgent support to install missing packages on Debian System? Contact us today. ]


Conclusion