1

if the network interface is disconnected:

ping 8.8.8.8
connect: Network is unreachable

terminates nicely
kernel is sending a specific signal to the
ping and thus ping is shutting itself down.

But if network interface is up and
I am blocking all traffic via iptables..

vi /etc/sysconfig/iptables

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -j REJECT --reject-with icmp-net-unreachable
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT

but it will not make ping shut off. and stop.

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.168.0.100 icmp_seq=1 Destination Net Unreachable
From 192.168.0.100 icmp_seq=1 Destination Net Unreachable
From 192.168.0.100 icmp_seq=1 Destination Net Unreachable

it simply keeps on continuing.

I have tried other --reject-with flags

such as:

icmp-net-unreachable
icmp-host-unreachable
icmp-port-unreachable
icmp-proto-unreachable
icmp-net-prohibited
icmp-host-prohibited
icmp-admin-prohibited

none of them can make ping quit.

What I want to see is ping terminate the same way
it terminates when network interface is disconnected.

if this can not be done via iptables..
is there a command I can run to send ping the same
signal the kernel sends .. to tell it "network interface is not connected" ?

( it would be a lie but I want it to shut itself off basically )

2 Answers2

1

With default options, ping on linux will never stop itself except if there is no way to send the packet.

If you filter packets, the ping command will still be able to send packets, and they will be dropped/rejected after in the network stack.

If you want to stop automatically, you can use the -c option. Exemple:

ping -c 4 8.8.8.8

In this case ping will stop after 4 packets, may they pass or not.

Here is the extract from the official manual:

   -c count
          Stop after sending count  ECHO_REQUEST  packets.  With  deadline
          option, ping waits for count ECHO_REPLY packets, until the time‐
          out expires.
Elektordi
  • 136
  • 1
  • 4
  • is it possible to make it so there is no way it can send a packet ( without disconnecting the network interface ) ? –  Jan 29 '17 at 23:20
  • 1
    The config you did in iptables is preventing ping to send packets, even the command itself thinks it's working. If you want ping to really fail, you can also "null-route" the target IP you are trying to ping, but it will prevent any communication with this IP. You can also remote the default gateway or remove the address from the interface, but you will loose network connectivity on the computer! But, at the end, what are you trying to achieve here?! – Elektordi Jan 29 '17 at 23:25
  • My goal is to ultimately prevent network access to all programs on my system and permit access to select ones but programs choose to time out rather than terminate. this is a conflict. the only solution I can think of is.. figure a way to simulate the message kernel sends them for "no network connection". they seem to terminate fine when kernel sends them that signal but they seem to simply wait for a timeout when iptables tell them they are rejected/dropped (blocked) –  Jan 30 '17 at 06:26
1

As you have already posted this question (in various forms) multiple times on superuser (which have been deleted) and you didn't get an answer you might have to change your approach.

If you're fixed on using iptables it's as far as you will get. If you do consider other options you might be able to utilize network namespaces as discussed in this question. So you could generally have "no network" and just let the process that should be able to use it use another namespace. For those process you would still run into those timeout "issues" you're having. Another approach would be to use something like AppArmor as explained in this question. Though, as you want to be super secure jadda, jadda I guess it's not an option for you.

As you never actually specified what amount of time it takes for the timeout on your system it's not clear if you're actually facing some unusual behavior.

Community
  • 1
user213199
  • 11
  • 1