After configuring the iptables policy, generally input is drop and then configured to pass the
When executing:
Iptables-p INPUT DROP
, the machine can not be ping pass!
Because ICMP is not added to the rule!
So I execute the following code:
Iptables-a input-p icmp-j ACCEPT
Still can't ping pass!!
After searching the web, use the following code:
Iptables-a input-p ICMP--icmp-type 3 -j acceptiptables-a input-p ICMP--icmp-type 8 -j Acceptiptables-a input-p ICMP--icmp-type 11-j ACCEPT
But, still can't ping pass!
Finally, the online search for the next icmp-type, found the following table:
TYPE |
CODE |
Description |
Query |
Error |
0 |
0 |
echo reply--echoing response (ping answer) |
X |
|
3 |
0 |
Network unreachable--networks not up to |
|
X |
3 |
1 |
Host unreachable--hosts not up to |
|
X |
3 |
2 |
Protocol unreachable--protocol not reached |
|
X |
3 |
3 |
Port unreachable--Unreachable |
|
X |
3 |
4 |
Fragmentation needed but no frag. Bit set--needs to be fragmented but set not to shard bits |
|
X |
3 |
5 |
Source routing failed--Origin station routing failure |
|
X |
3 |
6 |
Destination Network unknown--Destination Unknown |
|
X |
3 |
7 |
Destination Host unknown--Destination Unknown |
|
X |
3 |
8 |
Source host isolated (obsolete)--The Origin master is quarantined (obsolete) |
|
X |
3 |
9 |
Destination Network Administratively prohibited--purpose networks are banned |
|
X |
3 |
10 |
Destination Host administratively prohibited--destination hosts are forced to prohibit |
|
X |
3 |
11 |
Network unreachable for tos--Networks unreachable due to service type TOS |
|
X |
3 |
12 |
Host unreachable for tos--due to service type TOS, hosts unreachable |
|
X |
3 |
13 |
Communication administratively prohibited by filtering--due to filtering, communication is forced to prohibit |
|
X |
3 |
14 |
Host precedence violation--mainframe ultra vires |
|
X |
3 |
15 |
Precedence cutoff in effect--priority abort effective |
|
X |
4 |
0 |
SOURCE quench--is closed (basic flow control) |
|
|
5 |
0 |
Redirect for network--Network redirection |
|
|
5 |
1 |
Redirect for host--host redirection |
|
|
5 |
2 |
Redirect for TOS and network--on service type and network redirection |
|
|
5 |
3 |
Redirect for TOS and host--to service type and host redirection |
|
|
8 |
0 |
echo request--echoing request (ping request) |
X |
|
9 |
0 |
Router advertisement--Router Advertisement |
|
|
10 |
0 |
Route solicitation--Router Request |
|
|
11 |
0 |
TTL equals 0 during transit--lifetime of 0 during transmission |
|
X |
11 |
1 |
TTL equals 0 during reassembly--time to live 0 during datagram assembly |
|
X |
12 |
0 |
IP header Bad (catchall error)-The wrong IP header (including various errors) |
|
X |
12 |
1 |
Required options missing--Missing required option |
|
X |
13 |
0 |
Timestamp request (OBSOLETE)-timestamp requests (obsolete) |
X |
|
14 |
|
Timestamp reply (OBSOLETE)--timestamp reply (void not used) |
X |
|
15 |
0 |
Information request (OBSOLETE)--Requests for information (void unused) |
X |
|
16 |
0 |
Information reply (OBSOLETE)--Information response (void unused) |
X |
|
17 |
0 |
Address mask request--Addressing masks request |
X |
|
18 |
0 |
Address Mask reply--addresses masked answer |
From the table we are not difficult to find that the ping request is type 8 and ping answer is type 0
So change the iptables to:
Iptables-a input-p ICMP--icmp-type 0 -j acceptiptables-a input-p ICMP--icmp-type 8-j ACC EPT
And then you find that you can ping it!
Then save the firewall rule and restart the firewall:
Service iptables saveservice iptables restart
CentOS iptables about Ping