iptables Configuration to Allow ping

Environment

• CentOS 5.8

What We Want to Achieve

Server A allows ping only from Server B.

+----------+  Ping Request   +----------+
|          | <-------------- |          |
| Server A |                 | Server B |
|          | --------------> |          |
+----------+  Ping Response  +----------+

Configuration to Allow ping from a Specific IP

Run the following configuration on Server A.

[Server A]# iptables -A INPUT -p icmp --icmp-type 8 -s <Server B の IP Address> -j ACCEPT
[Server A]# iptables -A OUTPUT -p icmp --icmp-type 0 -s <Server B の IP Address> -j ACCEPT
[Server A]# service iptables restart

• --icmp-type 8 allows Echo request
• --icmp-type 0 allows Echo Reply

Running ping from Server B

[Server B]# ping <Server A の IP Address>

PING (<Server A の IP Address>): 56 data bytes
64 bytes from (<Server A の IP Address>): icmp_seq=0 ttl=58 time=4.411 ms
64 bytes from (<Server A の IP Address>): icmp_seq=1 ttl=58 time=4.079 ms
64 bytes from (<Server A の IP Address>): icmp_seq=2 ttl=58 time=4.027 ms
^C
--- (<Server A の IP Address>) ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 4.027/4.172/4.411/0.170 ms

icmp-type List

Referenced from asahi-net Appendix C. ICMP Types below.

TYPE	CODE	Meaning	Query	Error	Reference
0	0	Echo Reply	x		RFC792
3	0	Network Unreachable		x	RFC792
3	1	Host Unreachable		x	RFC792
3	2	Protocol Unreachable		x	RFC792
3	3	Port Unreachable		x	RFC792
3	4	Fragmentation needed but no frag. bit set		x	RFC792
3	5	Source routing failed		x	RFC792
3	6	Destination network unknown		x	RFC792
3	7	Destination host unknown		x	RFC792
3	8	Source host isolated (obsolete)		x	RFC792
3	9	Destination network administratively prohibited		x	RFC792
3	10	Destination host administratively prohibited		x	RFC792
3	11	Network unreachable for TOS		x	RFC792
3	12	Host unreachable for TOS		x	RFC792
3	13	Communication administratively prohibited by filtering		x	RFC1812
3	14	Host precedence violation		x	RFC1812
3	15	Precedence cutoff in effect		x	RFC1812
4	0	Source quench			RFC792
5	0	Redirect for network			RFC792
5	1	Redirect for host
5	2	Redirect for TOS and network			RFC792
5	3	Redirect for TOS and host			RFC792
8	0	Echo request	x		RFC792
9	0	Router advertisement - Normal router advertisement			RFC1256
9	16	Router advertisement - Does not route common traffic			RFC2002
10	0	Route selection			RFC1256
11	0	TTL equals 0 during transit		x	RFC792
11	1	TTL equals 0 during reassembly		x	RFC792
12	0	IP header bad (catchall error)		x	RFC792
12	1	Required options missing		x	RFC1108
12	2	IP Header bad length		x	RFC792
13	0	Timestamp request (obsolete)	x		RFC792
14		Timestamp reply (obsolete)	x		RFC792
15	0	Information request (obsolete)	x		RFC792
16	0	Information reply (obsolete)	x		RFC792
17	0	Address mask request	x		RFC950
18	0	Address mask reply	x		RFC950
20-29		Reserved for robustness experiment			Zaw-Sing Su
30	0	Traceroute	x		RFC1393
31	0	Datagram Conversion Error		x	RFC1475
32	0	Mobile Host Redirect			David Johnson
33	0	IPv6 Where-Are-You	x		Bill Simpson
34	0	IPv6 I-Am-Here	x		Bill Simpson
35	0	Mobile Registration Request	x		Bill Simpson
36	0	Mobile Registration Reply	x		Bill Simpson
39	0	SKIP			Tom Markson
40	0	Photuris			RFC2521