Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- iptables and limit module
June 18, 2008, 9:33 pm
rate this thread
I think I may be misunderstanding rule precedence... I'm trying to
limit SYN packets, "new" UDP flows, and ICMP traffic. First, here's
what I tried for ICMP (IPT=/sbin/iptables):
$IPT -A inbound -p icmp -m limit --limit 1/s --limit-burst 5 -
$IPT -A inbound -p icmp -s 0/0 -j ACCEPT
$IPT -A INPUT -p icmp -j inbound
This did not have the desired effect. When I replaced the first two
lines above with:
$IPT -A inbound -p icmp -s $any --icmp-type 8 \
-m limit --limit 1/s --limit-burst 5 -j ACCEPT
...everything worked. But why? I had hoped to limit SYN packets
$IPT -A inbound -p tcp --syn -m limit --limit 4/s --limit-
burst 10 -j ACCEPT
...followed by rules for specific protocols and a follow-on rule to
push TCP traffic from INPUT to inbound, but a quick test with hping
proves that this is not the case. Are rules processed in order, or
according to a best match scheme? Or am I missing something else?
Any clues appreciated!!!
Re: iptables and limit module
If icmp packets are blocked due to exceeding your limitations they will be
processed by the following rule which accepts all icmp packets. That's why
it does not work. Leave out the second rule and it'll work as expected.
This time there's no rule accepting packets exceeding limitations. You don't
need to specify source here, if you don't, source is set to 0/0 by default.
Rules are processed in order and first matching rule wins.
But: If a rule does not match (and exceeding limitations is like "not
match") packets are not dropped, they are not processed by that rule at
all. Instead the next rule is tried. And that rule may very well still
For what you plan on TCP SYN packets, do it like this:
$IPT -A inbound -p tcp --syn -m limit --limit 4/s --limit-burst 10 -j
$IPT -A inbound -p tcp --syn -j DROP
then set up all protocol-specific rules in tcp-filter chain. This will
forward all traffic within limitations to their protocol specific rules and
drop all traffic exceeding limitations.
Hope that helps,
- » Any race conditions involved on adding/mod users from different processes
- — Previous thread in » Linux Security
- » Cloud Ace Technologies is offering Implementation Services on Cloud Computing, Cloud Serv...
- — Newest thread in » Linux Security