After configuring the iptables policy, generally input is drop and then configured to pass the
When executing:
Iptables-p INPUT DROP
, the machine can not be ping pass!
Because ICMP is not added to the rule!
So I execute the following code:
Iptables-a input-p icmp-j ACCEPT
Still can't ping pass!!
After searching the web, use the following code:
Iptables-a input-p ICMP--icmp-type 3 -j acceptiptables-a input-p ICMP--icmp-type 8 -j Acceptiptables-a input-p ICMP--icmp-type 11-j ACCEPT
But, still can't ping pass!
Finally, the online search for the next icmp-type, found the following table:
| TYPE | CODE | Description | Query | Error |
|---|---|---|---|---|
| 0 | 0 | echo reply--echoing response (ping answer) | X | |
| 3 | 0 | Network unreachable--networks not up to | X | |
| 3 | 1 | Host unreachable--hosts not up to | X | |
| 3 | 2 | Protocol unreachable--protocol not reached | X | |
| 3 | 3 | Port unreachable--Unreachable | X | |
| 3 | 4 | Fragmentation needed but no frag. Bit set--needs to be fragmented but set not to shard bits | X | |
| 3 | 5 | Source routing failed--Origin station routing failure | X | |
| 3 | 6 | Destination Network unknown--Destination Unknown | X | |
| 3 | 7 | Destination Host unknown--Destination Unknown | X | |
| 3 | 8 | Source host isolated (obsolete)--The Origin master is quarantined (obsolete) | X | |
| 3 | 9 | Destination Network Administratively prohibited--purpose networks are banned | X | |
| 3 | 10 | Destination Host administratively prohibited--destination hosts are forced to prohibit | X | |
| 3 | 11 | Network unreachable for tos--Networks unreachable due to service type TOS | X | |
| 3 | 12 | Host unreachable for tos--due to service type TOS, hosts unreachable | X | |
| 3 | 13 | Communication administratively prohibited by filtering--due to filtering, communication is forced to prohibit | X | |
| 3 | 14 | Host precedence violation--mainframe ultra vires | X | |
| 3 | 15 | Precedence cutoff in effect--priority abort effective | X | |
| 4 | 0 | SOURCE quench--is closed (basic flow control) | ||
| 5 | 0 | Redirect for network--Network redirection | ||
| 5 | 1 | Redirect for host--host redirection | ||
| 5 | 2 | Redirect for TOS and network--on service type and network redirection | ||
| 5 | 3 | Redirect for TOS and host--to service type and host redirection | ||
| 8 | 0 | echo request--echoing request (ping request) | X | |
| 9 | 0 | Router advertisement--Router Advertisement | ||
| 10 | 0 | Route solicitation--Router Request | ||
| 11 | 0 | TTL equals 0 during transit--lifetime of 0 during transmission | X | |
| 11 | 1 | TTL equals 0 during reassembly--time to live 0 during datagram assembly | X | |
| 12 | 0 | IP header Bad (catchall error)-The wrong IP header (including various errors) | X | |
| 12 | 1 | Required options missing--Missing required option | X | |
| 13 | 0 | Timestamp request (OBSOLETE)-timestamp requests (obsolete) | X | |
| 14 | Timestamp reply (OBSOLETE)--timestamp reply (void not used) | X | ||
| 15 | 0 | Information request (OBSOLETE)--Requests for information (void unused) | X | |
| 16 | 0 | Information reply (OBSOLETE)--Information response (void unused) | X | |
| 17 | 0 | Address mask request--Addressing masks request | X | |
| 18 | 0 | Address Mask reply--addresses masked answer |
From the table we are not difficult to find that the ping request is type 8 and ping answer is type 0
So change the iptables to:
Iptables-a input-p ICMP--icmp-type 0 -j acceptiptables-a input-p ICMP--icmp-type 8-j ACC EPT
And then you find that you can ping it!
Then save the firewall rule and restart the firewall:
Service iptables saveservice iptables restart
CentOS iptables about Ping
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
