Quote:
|
My question is: does the first "-j DROP" target cause the last two lines never to match?
|
I'm quite sure it does.
When examining the packet, icmp criterion is satisfied by checking ip header, and all fragments have the indicator of the embbaded protocol set to icmp, thus satisfying the rule and being dropped before they reach to check for fragmentation. Nevertheless, last two lines are necessary, because of first two rules. To name it:
Quote:
# limit pings
$IPT -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
$IPT -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix "PING-DROP: "
|
because if last two rules didn't exist, part of fragmented icmp traffic matching quoted rules, would still pass.
What makes me having second thoughts, is that it is possible that after checking rules in one (I'll call it)"chapter", iptables jumps to next "chapter", and not out. In that case everything is just fine. If iptables jumps out, after a single rule matched, then you need to move last two rules above the "limit pings" chapter, so they could filter fragmented icmp traffic before it could be accepted by first two rules of "limit pings" chapter.
I hope you'll excuse by bad English. If it is confusing, I'll reassemble the answer, just say it
Greetings
Iptables: icmp and fragmented icmp rule matching
