iptables and limit module

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I think I may be misunderstanding rule precedence... I'm trying to
limit SYN packets, "new" UDP flows, and ICMP traffic.  First, here's
what I tried for ICMP (IPT=/sbin/iptables):

        $IPT -A inbound -p icmp -m limit --limit 1/s --limit-burst 5  -
        $IPT -A inbound -p icmp -s 0/0 -j ACCEPT

        $IPT -A INPUT -p icmp -j inbound

This did not have the desired effect.  When I replaced the first two
lines above with:

        $IPT -A inbound -p icmp -s $any --icmp-type 8  \
                     -m limit --limit 1/s --limit-burst 5 -j ACCEPT

...everything worked.  But why?  I had hoped to limit SYN packets

        $IPT -A inbound -p tcp --syn -m limit --limit 4/s --limit-
burst 10 -j ACCEPT

...followed by rules for specific protocols and a follow-on rule to
push TCP traffic from INPUT to inbound, but a quick test with hping
proves that this is not the case.  Are rules processed in order, or
according to a best match scheme?  Or am I missing something else?
Any clues appreciated!!!


Re: iptables and limit module

Bug wrote:

Quoted text here. Click to load it

This means:
If icmp packets are blocked due to exceeding your limitations they will be
processed by the following rule which accepts all icmp packets. That's why
it does not work. Leave out the second rule and it'll work as expected.

Quoted text here. Click to load it

This time there's no rule accepting packets exceeding limitations. You don't
need to specify source here, if you don't, source is set to 0/0 by default.

Quoted text here. Click to load it

Rules are processed in order and first matching rule wins.
But: If a rule does not match (and exceeding limitations is like "not
match") packets are not dropped, they are not processed by that rule at
all. Instead the next rule is tried. And that rule may very well still
accept packets.

For what you plan on TCP SYN packets, do it like this:

   $IPT -A inbound -p tcp --syn -m limit --limit 4/s --limit-burst 10 -j
   $IPT -A inbound -p tcp --syn -j DROP

then set up all protocol-specific rules in tcp-filter chain. This will
forward all traffic within limitations to their protocol specific rules and
drop all traffic exceeding limitations.

Hope that helps,

Re: iptables and limit module

Quoted text here. Click to load it

Ah ("sound" of light bulb turning on)...

Quoted text here. Click to load it

Beautiful explanation!  It is now perfectly clear.  Thank you!!!


Site Timeline