
Before adding a rule to iptables to allow ICMP, it's important to recognize that there are different types of ICMP packets. The following command will display the different type of ICMP packets.
iptables --protocol icmp --help
Which should return something like this.
Valid ICMP Types:
any
echo-reply (pong)
destination-unreachable
network-unreachable
host-unreachable
protocol-unreachable
port-unreachable
fragmentation-needed
source-route-failed
network-unknown
host-unknown
network-prohibited
host-prohibited
TOS-network-unreachable
TOS-host-unreachable
communication-prohibited
host-precedence-violation
precedence-cutoff
source-quench
redirect
network-redirect
host-redirect
TOS-network-redirect
TOS-host-redirect
echo-request (ping)
router-advertisement
router-solicitation
time-exceeded (ttl-exceeded)
ttl-zero-during-transit
ttl-zero-during-reassembly
parameter-problem
ip-header-bad
required-option-missing
timestamp-request
timestamp-reply
address-mask-request
address-mask-reply
If you want to allow any type of ICMP packet, the following command can be used.
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
Typically, only ICMP echo requests are allow. The following command will allow only ICMP echo requests on the INPUT chain, so that the system running iptables can be pinged.
Notice the --icmp_type option contains a value of echo-request. Instead of using a value of echo-request, you could use a value of 8. This option accept either the numeric or literal name of the ICMP type.
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
The -L or --list option can be used to display the rules to ensure the rule was added.
The iptables-save command will need to be used to permanently save iptables.
Did you find this article helpful?
If so, consider buying me a coffee over at