How to block ICMP using nft table

Topology: A---------(WAN port 8.8.8.8) B (LAN port 1.1.1.1/24)-----(PC: 1.1.1.2/24)

I attempted to block ICMP traffic inbound on the WAN interface, but found that there were drop counts. However, A can still ping PC: 1.1.1.2.

Commands:

nft insert rule inet fw4 input_wan ip protocol icmp counter drop
nft insert rule inet fw4 input_wan icmp type echo-request counter drop

Result:

table inet fw4 {
        chain input_wan {
                ip protocol icmp counter packets 12 bytes 1008 drop
                icmp type echo-request counter packets 144 bytes 12096 accept

I realized that the PC with IP address 1.1.1.2 belongs to the LAN network directly connected to B. So, I tried to apply it to the chain forward, but I'm not sure how to write this command. There doesn't appear to be an ICMP option available after 'forward'

nft insert rule inet fw4 forward <???>

  • To block ICMP from WAN, change ACCEPT to DROP or disable the rule.
  • To block ICMP from LAN, change the source to your LAN zone.
3 Likes