Hello,
thanks for the reply.
Your rule clearly shows, that the other (not matched by the 1/s rule)
ICMP packets are being considered as ESTABLISHED. I do not understand why.
From
"http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-7.html";
:
"
ESTABLISHED
A packet which belongs to an existing connection (i.e., a reply
packet, or outgoing packet on a connection which has seen replies). "
And from "http://www.lug.or.kr/docs/iptables-tutorial/onepage/"; ,
chapter ICMP connections:
"The reply packet is considered as being ESTABLISHED, as we have already
explained. However, we can know for sure that after the ICMP reply,
there will be absolutely no more legal traffic in the same connection.
For this reason, the connection tracking entry is destroyed once the
reply has traveled all the way through the Netfilter structure. "
My understanding is, that every new ICMP echo creates a new session.
In that case the ESTABLISHED state should be discarded, after the reply
is sent...
Please do I understand it wrong ?
Thanks,
regards,
Podo.
On 07/18/2013 12:39 AM, Laurence J. Lane wrote:
On Wed, Jul 10, 2013 at 1:30 PM, podo <[email protected]> wrote:
:INPUT DROP [57:9652]
Note: any packets that have not been sent elsewhere get dropped at the
end of the chain
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2421:151014]
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
Note: Accept a _single_ ICMP packet each second. All the rest of the
ICMP packets will continue to the next rule until it finally matches a
rule or ultimately gets dropped at the end of the chain.
-A INPUT -p tcp -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
Note: Accept all packets that are considered ESTABLISHED. Those
include all the ICMP packets in excess of the single ICMP packet
accepted earlier.
COMMIT
# Completed on Wed Jul 10 19:27:58 2013
If the rule "-A INPUT -m state --state ESTABLISHED -j ACCEPT" is not
present, the limit is working.
Could you please advise, how to proceed ?
[ The ping flood suggested below could prove to be an intense
self-inflicted denial of service attack. Perhaps figure out another
method to generate ICMP traffic. ]
You can visualize what happens by adding a rule that state matches
ESTABLISH ICMP packets and then running "sleep 3; ping -f localhost"
and "watch -d -n 1 iptables -nvL" as root in separate terminals. The
watch command will update the output and highlight changes 1 per
second. The ICMP limit match count should increase by one each
iteration. The count for the ESTABLISHED state match (or default DROP
if you omit the state match) should increase rapidly because all the
other ICMP packets from the ping flood are not already consumed by a
match.
You probably want to just drop all ICMP packets in a rule immediately
after you accept the single ICMP packet.
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
