UFW: Allow ping requests only for specific host
I am setuping my server and I must disable the ping requests for everyone except me and a list of hosts (aaa.bbb.ccc.ddd).
I am using the tool ufw, on ubuntu server, I read that I have to comment those lines:
ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT,
However, by doing that It will disallow everyone to ping, which is a problem because I need "aaa.bbb.ccc.ddd" to have a response to is ping requests.
Can you help me to write the correct command?
Thank you a lot in advance.
1 Answer
I just stumbled on this 4 month old question. It really should be listed on a different StackExchange (such as ServerFault), but sometimes even a developer needs to configure a firewall. As it is, I'm here with an answer for you.
For your firewall rules, you'll want to accept packets from your safe IPs first and then drop the rest. Here's how I did it:
Let's assume you only want to accept one safe IP for pings and that IP address is '127.0.0.1'. Of course, this IP could be any address you want (just create more rules or define subnets for additional addresses).
Step 1
First thing is to check is the following in /etc/ufw/sysctl.conf
net/ipv4/icmp_echo_ignore_all=1 ...should be rewritten as with a 0 if it is not already...
net/ipv4/icmp_echo_ignore_all=0 Step 2
Add rules for IPv4 into /etc/ufw/before.rules
-A ufw-before-input -p icmp --icmp-type echo-request -s 127.0.0.1 -m state --state ESTABLISHED -j ACCEPT Step 3 (for IPv6 support)
Add rules for IPv6 into /etc/ufw/before6.rules
-A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -s 127.0.0.1 -m state --state ESTABLISHED -j ACCEPT Step 4
Now, restart your firewall and drink a beverage of your choice.
service ufw restart ncG1vNJzZmirpJawrLvVnqmfpJ%2Bse6S7zGiorp2jqbawutJoaG9rZ2t%2BcX2Orp2wZZGhubDDjKmgp59dp7KywcSsq6xln6O5unnFqKlmq6CasKqyyJxkoaejqQ%3D%3D