On Wed, Jul 10, 2013 at 1:30 PM, podo <[email protected]> wrote: > :INPUT DROP [57:9652]
Note: any packets that have not been sent elsewhere get dropped at the end of the chain > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [2421:151014] > -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT Note: Accept a _single_ ICMP packet each second. All the rest of the ICMP packets will continue to the next rule until it finally matches a rule or ultimately gets dropped at the end of the chain. > -A INPUT -p tcp -j ACCEPT > -A INPUT -m state --state ESTABLISHED -j ACCEPT Note: Accept all packets that are considered ESTABLISHED. Those include all the ICMP packets in excess of the single ICMP packet accepted earlier. > COMMIT > # Completed on Wed Jul 10 19:27:58 2013 > > If the rule "-A INPUT -m state --state ESTABLISHED -j ACCEPT" is not > present, the limit is working. > > Could you please advise, how to proceed ? [ The ping flood suggested below could prove to be an intense self-inflicted denial of service attack. Perhaps figure out another method to generate ICMP traffic. ] You can visualize what happens by adding a rule that state matches ESTABLISH ICMP packets and then running "sleep 3; ping -f localhost" and "watch -d -n 1 iptables -nvL" as root in separate terminals. The watch command will update the output and highlight changes 1 per second. The ICMP limit match count should increase by one each iteration. The count for the ESTABLISHED state match (or default DROP if you omit the state match) should increase rapidly because all the other ICMP packets from the ping flood are not already consumed by a match. You probably want to just drop all ICMP packets in a rule immediately after you accept the single ICMP packet. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
