How to disable ping icmp responses?

griffin · 26 October 2024 14:44

I've tested my machine on Shields up application on the grc dot com site where was indicated that my machine was not fully stealth, because it was replying to ping packets sent from this site. So I've tried several methods, but non resulted with success.

First I've tried with editing /etc/sysctl.conf by a
net.ipv4.icmp_echo_ignore_all=1

Next I've edited /etc/ufw/before.rules file with adding this line:
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

I've also tried with these commands to iptables:
iptables -A INPUT --proto icmp -j DROP
iptables -I INPUT -p icmp --icmp-type echo-request -j DROP

And finally I've tried with editing of crontab -e by adding the following line:
@reboot echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

tkn · 26 October 2024 14:59

Did you disable ICMP echo also on your cable/sattelite/adsl modem/router ?

griffin · 26 October 2024 15:11

I know it is possible to do on a router. But I wanted to try to disable ping responses on my machine independently from router. I want to know how it could be done, so that when I connect with my Ubuntu laptop on some public wi-fi, I could be sure that nobody could ping my machine.

ericmarceau · 26 October 2024 15:17

If you really want to do that, globally, then you can do that by setting the kernel parameter as follows:

net.ipv4.icmp_echo_ignore_all=1
net.ipv6.icmp.echo_ignore_all=1

I am not sure of the implications regarding your home cable modem/router for interactions required by the ISP.

You may also want to review the article here.

tkn · 26 October 2024 15:22

Since I don't know your setup, I assume this:

ISP -> modem/router/NAT/Firewall -> your computer

In short:
You can not ping your computer from outside your home-subnet because your computer is behind the NAT of the router.

If you ping your home from outside, your router answers, not your computer.

You can not use port-forwarding to forward ICMP requests to your computer because they are not TCP/UDP port bound and therefore not forwardable.

griffin · 26 October 2024 16:14

This is interesting. When I use my regular connection, my PC passes the 'true stealth analysis' on the rec dot com site, in both cases (with just my wifi access point and with access point and router). But when I try with VPN then the 'true stealth analysis' fails.

ericmarceau · 26 October 2024 16:16

Sorry! I can't help you there.

You may get insights from reading from this other posting on StackExchange.

Nothing wrong with healthy ping, types 0, 3, 8, essential for good networking.

Just want to share that comment I saw elsewhere. I don''t know enough to endorse/question this.

ugnvs · 26 October 2024 16:37

VPN just adds one more step to the ladder drawn by @tkn and VPN's public address might answer.

ericmarceau · 26 October 2024 16:44

... and that would only be the web-facing VPN's router, not the VPN's router publishing anything about your computer or contents of the encrypted data stream.

Correct?