ping 不能通 其他命令ssh能通的问题

先占位，简短描述，后续详细补充：

ping 不通，而  ssh 能连接登陆，telnet也表示正常连通，是ping命令被禁止了。

ping 基于ICMP协议，是不包含处理具体数据的协议，只是测试网络是否正常。

---------------------------------------------------sysctl 分割线---------------------------------------------------------

先看一下如何操作：

1、先看一下没有限制的时候的结果：

[root@Test-01 ~]# ping 192.168.30.212
PING 192.168.30.212 (192.168.30.212) 56(84) bytes of data.
64 bytes from 192.168.30.212: icmp_seq=1 ttl=64 time=0.109 ms
64 bytes from 192.168.30.212: icmp_seq=2 ttl=64 time=0.114 ms
64 bytes from 192.168.30.212: icmp_seq=3 ttl=64 time=0.065 ms

--- 192.168.30.212 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.065/0.096/0.114/0.022 ms
[root@Test-01 ~]# 

 2、 添加限制

[root@dev01 ~]# /sbin/sysctl -w net.ipv4.icmp_echo_ignore_all=1
net.ipv4.icmp_echo_ignore_all = 1
[root@dev01 ~]#

   其他机器ping该主机

[root@Test-01 ~]# ping 192.168.30.212
PING 192.168.30.212 (192.168.30.212) 56(84) bytes of data.

--- 192.168.30.212 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3001ms

[root@Test-01 ~]#

    该主机ping其他主机

[root@dev01 ~]# ping 192.168.30.221
PING 192.168.30.221 (192.168.30.221) 56(84) bytes of data.
64 bytes from 192.168.30.221: icmp_seq=1 ttl=64 time=0.110 ms
64 bytes from 192.168.30.221: icmp_seq=2 ttl=64 time=0.069 ms
64 bytes from 192.168.30.221: icmp_seq=3 ttl=64 time=0.084 ms
64 bytes from 192.168.30.221: icmp_seq=4 ttl=64 time=0.075 ms

--- 192.168.30.221 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.069/0.084/0.110/0.018 ms
[root@dev01 ~]#

  

 3、解除限制

[root@dev01 ~]# /sbin/sysctl -w net.ipv4.icmp_echo_ignore_all=0
net.ipv4.icmp_echo_ignore_all = 0
[root@dev01 ~]# 

  其他机器ping该主机

[root@Test-01 ~]# ping 192.168.30.212
PING 192.168.30.212 (192.168.30.212) 56(84) bytes of data.
64 bytes from 192.168.30.212: icmp_seq=1 ttl=64 time=0.119 ms
64 bytes from 192.168.30.212: icmp_seq=2 ttl=64 time=0.113 ms

--- 192.168.30.212 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.113/0.116/0.119/0.003 ms
[root@Test-01 ~]# 

 4、其实就是修改了此处的文件

[root@dev01 ~]# cat /proc/sys/net/ipv4/icmp_echo_ignore_all 
0
[root@dev01 ~]# /sbin/sysctl -w net.ipv4.icmp_echo_ignore_all=1
net.ipv4.icmp_echo_ignore_all = 1
[root@dev01 ~]# cat /proc/sys/net/ipv4/icmp_echo_ignore_all    
1
[root@dev01 ~]# /sbin/sysctl -w net.ipv4.icmp_echo_ignore_all=0
net.ipv4.icmp_echo_ignore_all = 0
[root@dev01 ~]# cat /proc/sys/net/ipv4/icmp_echo_ignore_all    
0
[root@dev01 ~]# 

 

5、如果想永久保留设置，能修改/etc/sysctl.conf文件

    net.ipv4.icmp_echo_ignore_all=1

     或者使用iptables，不解释

     iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -j DROP

---------------------------------------------------ICMP 分割线---------------------------------------------------------

 ICMP是“Internet Control Message Protocol”（Internet控制消息协议）的缩写，概念不描述，网上太多

自己的备忘描述：网络消息控制，就是在我们使用tcp报错的一些网络的错误，比如主机不可达，重定向，连接拒绝等错误消息都是由该协议监测的。

 

测试

[root@dev01 ~]# ping 192.168.30.221
PING 192.168.30.221 (192.168.30.221) 56(84) bytes of data.
64 bytes from 192.168.30.221: icmp_seq=1 ttl=64 time=1.12 ms
64 bytes from 192.168.30.221: icmp_seq=2 ttl=64 time=0.078 ms
64 bytes from 192.168.30.221: icmp_seq=3 ttl=64 time=0.089 ms
64 bytes from 192.168.30.221: icmp_seq=4 ttl=64 time=0.108 ms
64 bytes from 192.168.30.221: icmp_seq=5 ttl=64 time=0.102 ms

--- 192.168.30.221 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 0.078/0.300/1.124/0.412 ms
[root@dev01 ~]# 

[root@dev01 ~]# /usr/sbin/tcpdump host 192.168.30.221
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
16:21:37.220517 IP 192.168.30.212 > 192.168.30.221: ICMP echo request, id 57446, seq 9, length 64
16:21:37.220865 IP 192.168.30.221 > 192.168.30.212: ICMP echo reply, id 57446, seq 9, length 64
16:21:38.221507 IP 192.168.30.212 > 192.168.30.221: ICMP echo request, id 57446, seq 10, length 64
16:21:38.221586 IP 192.168.30.221 > 192.168.30.212: ICMP echo reply, id 57446, seq 10, length 64

4 packets captured
5 packets received by filter
0 packets dropped by kernel
[root@dev01 ~]#

 看一个抓包的效果

type 和code有很多种

不浪费空间和时间，直接看别人的内容吧：

I​C​M​P​差​错​报​文​分​析

http://wenku.baidu.com/view/138b612b2af90242a895e589.html?re=view

参看着再看看报文分析：为什么禁用了超链接？

http://wenku.baidu.com/link?url=dA4yyqxojXJqshzmMd20ZyTKQMIM8Uddxve1nL-sj_oNwwJ-tTFIUen9eOjFdu2pEV6rsuLU0P-YJG-Tcr1-MvWOVbvr3-xc8R7YyBCDvwy