Prevent hosts on LAN using PING command.

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
rebelxguy88
DD-WRT Novice


Joined: 16 Feb 2014
Posts: 3
PostPosted: Tue Jul 29, 2014 0:22    Post subject: Prevent hosts on LAN using PING command. Reply with quote
I want to figure out how I can Block/Drop all ICMP packets going outside my network. Essentially I wish block use of the PING command on all hosts on the network.

I found some things on google advising to use iptables, but cant seem to get it working.
Back to top View user's profile Send private message
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6870
Location: Romerike, Norway
PostPosted: Tue Jul 29, 2014 8:13    Post subject: Reply with quote
Code:
iptables -A FORWARD -i br0 -p icmp --icmp-type echo-request -j DROP


Will block ping from the LAN to the Internet.
Ping from one LAN node to another will not be blocked as it does not pass the firewall.
Back to top View user's profile Send private message
rebelxguy88
DD-WRT Novice


Joined: 16 Feb 2014
Posts: 3
PostPosted: Sun Aug 24, 2014 4:34    Post subject: Reply with quote
While It appears that command has worked as its now listed in the IPTABLES,

I am still able to ping from all my internal PCS to the outside of network.

Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       udp  --  anywhere             anywhere            udp dpt:route
DROP       udp  --  anywhere             anywhere            udp dpt:route
ACCEPT     udp  --  anywhere             anywhere            udp dpt:route
DROP       icmp --  anywhere             anywhere           
DROP       igmp --  anywhere             anywhere           
ACCEPT     0    --  anywhere             anywhere            state NEW
ACCEPT     0    --  anywhere             anywhere            state NEW
DROP       0    --  anywhere             anywhere           
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     gre  --  192.168.1.0/24       anywhere           
ACCEPT     tcp  --  192.168.1.0/24       anywhere            tcp dpt:1723
lan2wan    0    --  anywhere             anywhere           
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     0    --  anywhere             anywhere           
TRIGGER    0    --  anywhere             anywhere            TRIGGER type:in match:0 relate:0
trigger_out  0    --  anywhere             anywhere           
ACCEPT     0    --  anywhere             anywhere            state NEW
DROP       0    --  anywhere             anywhere           
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
Chain advgrp_1 (0 references)
target     prot opt source               destination         
Chain advgrp_10 (0 references)
target     prot opt source               destination         
Chain advgrp_2 (0 references)
target     prot opt source               destination         
Chain advgrp_3 (0 references)
target     prot opt source               destination         
Chain advgrp_4 (0 references)
target     prot opt source               destination         
Chain advgrp_5 (0 references)
target     prot opt source               destination         
Chain advgrp_6 (0 references)
target     prot opt source               destination         
Chain advgrp_7 (0 references)
target     prot opt source               destination         
Chain advgrp_8 (0 references)
target     prot opt source               destination         
Chain advgrp_9 (0 references)
target     prot opt source               destination         
Chain grp_1 (0 references)
target     prot opt source               destination         
Chain grp_10 (0 references)
target     prot opt source               destination         
Chain grp_2 (0 references)
target     prot opt source               destination         
Chain grp_3 (0 references)
target     prot opt source               destination         
Chain grp_4 (0 references)
target     prot opt source               destination         
Chain grp_5 (0 references)
target     prot opt source               destination         
Chain grp_6 (0 references)
target     prot opt source               destination         
Chain grp_7 (0 references)
target     prot opt source               destination         
Chain grp_8 (0 references)
target     prot opt source               destination         
Chain grp_9 (0 references)
target     prot opt source               destination         
Chain lan2wan (1 references)
target     prot opt source               destination         
Chain logaccept (0 references)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             anywhere           
Chain logdrop (0 references)
target     prot opt source               destination         
DROP       0    --  anywhere             anywhere           
Chain logreject (0 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
Chain trigger_out (1 references)
target     prot opt source               destination         
Back to top View user's profile Send private message
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade
PostPosted: Sun Aug 24, 2014 12:32    Post subject: Reply with quote
to block ping go outside your network for single host
Code:
iptables -I FORWARD -s 192.168.1.113/32 -m ndpi --icmp -j DROP


for blocking lan to lan ping you must use ebtables and that involves instaling ebtables modules with insmod command etc...
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum