目标:禁止Linux系统被ping
本地服务器操作:IP: 101.132.79.69
[root@sky9890 ~]# ping 113.195.210.151151 #ping 目标服务器OK
PING 113.195.210.151 (113.195.210.151) 56(84) bytes of data.
64 bytes from 113.195.210.151: icmp_seq=1 ttl=52 time=21.6 ms
64 bytes from 113.195.210.151: icmp_seq=2 ttl=52 time=21.7 ms
64 bytes from 113.195.210.151: icmp_seq=3 ttl=52 time=21.6 ms
64 bytes from 113.195.210.151: icmp_seq=4 ttl=52 time=21.6 ms
--- 113.195.210.151 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3670ms
rtt min/avg/max/mdev = 21.630/21.660/21.724/0.110 ms
目标服务器操作如下:
[root@JxateiLinux ~]# tail -l /etc/sysctl.conf
kernel.msgmnb = 65536
# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
[root@JxateiLinux ~]# echo "net.ipv4.icmp_echo_ignore_all=1" >>/etc/sysctl.conf
[root@JxateiLinux ~]# tail -l /etc/sysctl.conf
# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
net.ipv4.icmp_echo_ignore_all=1
[root@JxateiLinux ~]# sysctl -p #文件立即生效
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.icmp_echo_ignore_all = 1
[root@sky9890 ~]# ping 113.195.210.151 #ping不通目标服务IP了
PING 113.195.210.151 (113.195.210.151) 56(84) bytes of data.
说明:禁止ping的方法不是最佳策略,我们自己也无法通过ping 检查了。其实比较好的策略是通过iptables 设置让特定的IP可以ping。
例如:设置内网用户可以ping
iptables –t filter –I INPUT –p icmp –icmp-type 8 –I eth0 –s 10.0.0.0/24 –j ACCEPT
原文地址:http://blog.51cto.com/sky9896/2093403
