Linux禁止ping以及开启ping的方法

发表于 | 分类于 | 阅读次数
字数统计 643 | 阅读时长 3

Linux默认是允许Ping响应的,系统是否允许Ping由2个因素决定的:

1)内核参数

2)防火墙

需要2个因素同时允许才能允许Ping,2个因素有任意一个禁Ping就无法Ping。

第一种设置内核参数:

1)允许ping :

a:临时允许PING配置

[root@CCIELAB lszlab]# echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all

b:永久允许PING配置

编辑/etc/sysctl.conf 文件 加入 net.ipv4.icmp_echo_ignore_all=0

[root@CCIELAB lszlab]# vi /etc/sysctl.conf


#ping (0表示允许,1表示禁止)
net.ipv4.icmp_echo_ignore_all=0

修改完成使用sysctl -p使其新配置生效 

[root@CCIELAB lszlab]# sysctl -p
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.icmp_echo_ignore_all = 0

2)禁止Ping:

a:临时禁止PING配置:

[root@CCIELAB lszlab]# echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all

禁止ping 前

[qd01@ip-CentOS-6 ~]$ ping -c 3 192.168.198.141
PING 192.168.198.141 (192.168.198.141) 56(84) bytes of data.
64 bytes from 192.168.198.141: icmp_seq=1 ttl=64 time=0.291 ms
64 bytes from 192.168.198.141: icmp_seq=2 ttl=64 time=0.484 ms
64 bytes from 192.168.198.141: icmp_seq=3 ttl=64 time=0.475 ms

 --- 192.168.198.141 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.291/0.416/0.484/0.092 ms

禁止ping 后

PING 192.168.198.141 (192.168.198.141) 56(84) bytes of data.

 --- 192.168.198.141 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 12002ms

b:永久禁止PING配置

编辑/etc/sysctl.conf 文件 加入 net.ipv4.icmp_echo_ignore_all=1

[root@CCIELAB lszlab]# vi /etc/sysctl.conf


#ping (0表示允许,1表示禁止)
net.ipv4.icmp_echo_ignore_all=1

修改完成使用sysctl -p使其新配置生效 

[root@CCIELAB lszlab]# sysctl -p
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.icmp_echo_ignore_all = 1

第二种:设置防火墙:

内核配置是默认值,也就是没有禁止Ping下进行设置

1)允许ping 操作

[root@CCIELAB lszlab]# iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
[root@CCIELAB lszlab]# iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

或者临时关闭防火墙:

[root@CCIELAB lszlab]# service iptables stop
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]

2)禁止ping操作

[root@CCIELAB lszlab]#  iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -j DROP
如果您觉得这篇文章对您有帮助,不妨支持我一下!
------ 本文结束 ------

版权声明

Stefanie'Notes by Stefanie is licensed under a Creative Commons BY-NC-ND 4.0 International License.
Stefanie创作并维护的Stefanie'Notes博客采用创作共用保留署名-非商业-禁止演绎4.0国际许可证
本文首发于Stefanie'Notes 博客( https://linshizhe.github.io/ ),版权所有,侵权必究。