LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-31-2006, 01:49 PM   #1
wwnexc
Member
 
Registered: Sep 2005
Location: California
Distribution: Slackware & Debian
Posts: 264

Rep: Reputation: 30
iptables & netfiler: Limit icmp Packets Per IP Address


Hi,

I have just started learning how to use iptables. I am far from knowing much about them, so I figured it would be best if i just set up a test system and play with it until i manage to get the results i need, and hopefully i will get to understand the system better.

Enough blah-blah: I am now wondering how i can restrict the number of pings per "Pinger" (The person / IP pinging me).

Code:
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT
This seems to "lock out" after one ping from anybody for one second, for everybody. I only want to allow, let's say, 1 ping per ip per second. Is there any way to do something like this?

Thank You.
 
Old 08-01-2006, 08:11 AM   #2
thelvaci
LQ Newbie
 
Registered: Jan 2006
Posts: 6

Rep: Reputation: 0
1)Prepare a file with the name iptables.conf containing something like this

*mangle
:PREROUTING ACCEPT [48436:11233990]
:INPUT ACCEPT [48436:11233990]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [29730:6162034]
:POSTROUTING ACCEPT [29730:6162034]
COMMIT

*nat
:PREROUTING ACCEPT [391:49336]
:POSTROUTING ACCEPT [1793:110951]
:OUTPUT ACCEPT [1793:110951]
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1418:147349]
-A INPUT -i lo -j ACCEPT
-A INPUT -p all -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -s IPNUMBER -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -p all -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT

COMMIT

2)Create iptables folder under /var/lib folder

3)create thee iptables.conf file under /var/lib/folder

4)iptables-restore < iptables.conf // the format is not OK yet
5)iptables-save > std.ipt // the output is in the required format now
6)iptables-restore < std.ipt //
7)iptables -L
check the rules and run your test for ping rate

Hope this helps
Tahir Helvaci
 
Old 08-01-2006, 12:34 PM   #3
wwnexc
Member
 
Registered: Sep 2005
Location: California
Distribution: Slackware & Debian
Posts: 264

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by thelvaci
*mangle
:PREROUTING ACCEPT [48436:11233990]
:INPUT ACCEPT [48436:11233990]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [29730:6162034]
:POSTROUTING ACCEPT [29730:6162034]
COMMIT

*nat
:PREROUTING ACCEPT [391:49336]
:POSTROUTING ACCEPT [1793:110951]
:OUTPUT ACCEPT [1793:110951]
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1418:147349]
-A INPUT -i lo -j ACCEPT
-A INPUT -p all -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -s IPNUMBER -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -p all -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT

COMMIT
Thank You, Tahir, for the code.

I tried to understand the commands and functions thereof, and all i found about, for example, "[391:49336]" was, according to the iptables manfile: they are "masks" I thought that masks were either 255.255.255.0 or abbreviated as 24 when just counting the 1's. It would be great if somebody could explain to me what these numbers mean.

Code:
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1418:147349]
-A INPUT -i lo -j ACCEPT
-A INPUT -p all -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -s IPNUMBER -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -p all -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
I am not trying to act dumb, but i honestly cannot see the limit of connections / packets per ip here (Or is this done above with the mystical numbers??)

Thank You for helping the
 
Old 08-01-2006, 12:35 PM   #4
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Ummm.. thelvaci. There's nothing in your suggestion to do with any rate limiting..
(And with an OUTPUT POLICY ACCEPT, you don't need any ACCEPT rules)

Better read The BIG Iptables Tutorial for examples..
http://iptables-tutorial.frozentux.n...-tutorial.html

The limit control only works for everything, so it's a global control.
Do you have a specific problem with icmp?
 
Old 08-01-2006, 01:09 PM   #5
wwnexc
Member
 
Registered: Sep 2005
Location: California
Distribution: Slackware & Debian
Posts: 264

Original Poster
Rep: Reputation: 30
Well, actually I don't have a specific problem with icmp. It was more of an example, to show how i could limit something per requesting ip address.

From what i know about iptables, i guess i could write a script which inserts something for each ip address automatically at startup.... Not sure if that is the best solution.
 
Old 08-01-2006, 03:00 PM   #6
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Not really..

There are better defenses for icmp.
Usually a block rate limiting is sufficient, say 4-8 per second, drop the rest or put the specific ip into a 20 min timeout rule.
 
Old 08-01-2006, 03:02 PM   #7
wwnexc
Member
 
Registered: Sep 2005
Location: California
Distribution: Slackware & Debian
Posts: 264

Original Poster
Rep: Reputation: 30
How can you put an ip in a timeout rule?
 
Old 08-01-2006, 03:25 PM   #8
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
There are programs like portsentry which can be used to add rules if too much traffic arrives from 1 source, and you can make a script to clear them after a period of time. There is an iptables patch for timeouts, but you need iptables sources and kernel sources for patch-o-matic patches.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES - How to allow all packets from a certain address exitsfunnel Linux - Networking 3 09-06-2005 10:35 PM
ICMP Packets coolfrog Linux - Networking 4 12-22-2004 11:10 AM
How to send icmp packets on a particular interface? dravya Programming 3 07-29-2004 04:15 PM
Interpret ICMP packets SaTaN Linux - Networking 1 01-20-2004 10:23 PM
DENY ICMP Packets joseph Linux - Software 1 10-08-2003 10:03 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration