*** Beat'n down humble man ****
I am stuck and can't find out how to stop my router from being pinged (replying to a ping).  I have searched the usual, google, fourms, how to's and could find nothing on where or how to do this.  Any help pointing me in the right direction would be appreciated.  I would have thought that this would be setup by default.  I only found out that this was not the default when I noticed someone trying to brute force an administrator password into my FTP server. I wondered why this never happened before.  I then realized that I could ping the WRT which made it easy for a person in France (That is where the trace ended) to find my personal FTP server and try to turn it into a warez server.

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP >> /etc/firewall.user

(Last edited by RItalMan on 3 Feb 2006, 10:33)

in firewall.user probably input_rule is better
ex:
iptables -A input_rule -p icmp --icmp-type echo-request -j DROP
or
iptables -t nat -A prerouting_rule -p icmp --icmp-type echo-request -j DROP

(Last edited by CMoiDucon on 3 Feb 2006, 17:49)

For the WhiteRussian RC4 /etc/firewall.user structure...

I want LAN to respond to a ping but not WAN.  Since /etc/firewall.user already has $WAN and $LAN defined I've been using this added rule to /etc/firewall.user:

### Deny being "pingable" on the WAN interface
iptables -t nat -A prerouting_rule -i $WAN -p icmp --icmp-type echo-request -j DROP

It seems to be working exactly as I want.  I'm curious from the experts if the -i $WAN is redundant to make this apply only to WAN?

(Last edited by Bill_MI on 5 Feb 2006, 04:33)

Thanks to all:  I tried the following on WHITE RUSSIAN (RC4) in firewall.user:
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP -> This did not work for me.  The WAN still responded to ICMP ping.
iptables -A input_rule -p icmp --icmp-type echo-request -j DROP ->  This did work (WAN does NOT respond to a ICMP ping) and also allows me to still ping the NIC's on the LAN.
iptables -t nat -A prerouting_rule -p icmp --icmp-type echo-request -j DROP -> I did not try this one with or without the $WAN as mentioned in previous posts.

Is there a benifit to using the input_rule or prerouting_rule?  Assuming that these both should work, I was just wondering if I should use one over the other.

MrMengo, I'm wondering the same thing as I like to optimize for best efficiency.  e.g. this may affect ping flood response on the system.  I'm thinking of data flow and perhaps mine using table "nat" lacks efficiency as it has to go deeper.

Also, while you can ping your LAN NICs can they ping the router's LAN address?  This is what I meant to preserve.  I found a similar rule to yours did kill LAN ping response, too.

The input_rule is the right place, as this rule only applies to packages directed at the router (yes, -i $WAN is necessary).

Images that show the dataflow:
http://iptables-tutorial.frozentux.net/ … averse.jpg
http://www.shorewall.net/images/Netfilter.png

If you want to understand how netfilter and the iptables tool work, I can recommend reading the Iptables Tutorial by Oskar Andreasson while keeping your S45firewall and firewall.user files in reach for comparison.

Hi Wtzm and thanks for the excellent suggestion.  Oskar Andreasson's tutorial can be found here: http://iptables-tutorial.frozentux.net/ … orial.html