Building off the previous post, let’s now take it a step further and lock down ICMP traffic.
If your iptables INPUT chain default policy has been set to DROP, then you probably noticed that pinging the server externally presented you with 100% packet loss (as it should).
The ICMP protocol has several types of control messages. We’re going to use control message type 8, “echo request”–in other configurations it may also be useful to use control message type 0 “echo reply”.
To whitelist ICMP traffic from a specific host, add the following policy, as root (or sudoer):
1
|
|
Replace <HOST> with the source IP address (DNS and/or CIDR supported) you want to ping from.
Verify existence of new policy:
1
|
|
1 2 3 |
|
Save your update iptables ruleset:
1
|
|
Stay tuned for more!