Author
Message
rebelxguy88 DD-WRT Novice Joined: 16 Feb 2014 Posts: 3
Posted: Tue Jul 29, 2014 0:22 Post subject: Prevent hosts on LAN using PING command.
I want to figure out how I can Block/Drop all ICMP packets going outside my network. Essentially I wish block use of the PING command on all hosts on the network.
I found some things on google advising to use iptables, but cant seem to get it working.
Back to top
Sponsor
Per Yngve Berg DD-WRT Guru Joined: 13 Aug 2013 Posts: 6870 Location: Romerike, Norway
Posted: Tue Jul 29, 2014 8:13 Post subject:
Code: iptables -A FORWARD -i br0 -p icmp --icmp-type echo-request -j DROP
Will block ping from the LAN to the Internet.
Ping from one LAN node to another will not be blocked as it does not pass the firewall.
Back to top
rebelxguy88 DD-WRT Novice Joined: 16 Feb 2014 Posts: 3
Posted: Sun Aug 24, 2014 4:34 Post subject:
While It appears that command has worked as its now listed in the IPTABLES,
I am still able to ping from all my internal PCS to the outside of network.
Code: Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
DROP udp -- anywhere anywhere udp dpt:route
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT udp -- anywhere anywhere udp dpt:route
DROP icmp -- anywhere anywhere
DROP igmp -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEW
ACCEPT 0 -- anywhere anywhere state NEW
DROP 0 -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT gre -- 192.168.1.0/24 anywhere
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:1723
lan2wan 0 -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere
TRIGGER 0 -- anywhere anywhere TRIGGER type:in match:0 relate:0
trigger_out 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEW
DROP 0 -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain advgrp_1 (0 references)
target prot opt source destination
Chain advgrp_10 (0 references)
target prot opt source destination
Chain advgrp_2 (0 references)
target prot opt source destination
Chain advgrp_3 (0 references)
target prot opt source destination
Chain advgrp_4 (0 references)
target prot opt source destination
Chain advgrp_5 (0 references)
target prot opt source destination
Chain advgrp_6 (0 references)
target prot opt source destination
Chain advgrp_7 (0 references)
target prot opt source destination
Chain advgrp_8 (0 references)
target prot opt source destination
Chain advgrp_9 (0 references)
target prot opt source destination
Chain grp_1 (0 references)
target prot opt source destination
Chain grp_10 (0 references)
target prot opt source destination
Chain grp_2 (0 references)
target prot opt source destination
Chain grp_3 (0 references)
target prot opt source destination
Chain grp_4 (0 references)
target prot opt source destination
Chain grp_5 (0 references)
target prot opt source destination
Chain grp_6 (0 references)
target prot opt source destination
Chain grp_7 (0 references)
target prot opt source destination
Chain grp_8 (0 references)
target prot opt source destination
Chain grp_9 (0 references)
target prot opt source destination
Chain lan2wan (1 references)
target prot opt source destination
Chain logaccept (0 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
Chain logdrop (0 references)
target prot opt source destination
DROP 0 -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
Chain trigger_out (1 references)
target prot opt source destination
Back to top
Mile-Lile DD-WRT Guru Joined: 24 Feb 2013 Posts: 1634 Location: Belgrade
Posted: Sun Aug 24, 2014 12:32 Post subject:
to block ping go outside your network for single host
Code: iptables -I FORWARD -s 192.168.1.113/32 -m ndpi --icmp -j DROP
for blocking lan to lan ping you must use ebtables and that involves instaling ebtables modules with insmod command etc...
Back to top