Hello,
Aro Sadoyan a écrit :
iptables -A INPUT -p icmp --icmp-type 8 -m length --length 128:65535
-j LOG --log-level debug --log-prefix IP"ICMP Oversize:"
iptables -A INPUT -p icmp --icmp-type 8 -m length --length 128:65535
-j REJECT #--reject-with icmp-host-prohibited
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 3/s
-j ACCEPT
iptables -A INPUT -p icmp -f -j LOG --log-prefix "ICMP Fagment:"
iptables -A INPUT -p icmp -f -j REJECT
This Is a good solution of filtering ICMP I use it and it is working fine
It alow only 3 ping per second and ICMP packet sise is maximum 128
Notes :
ICMP type "echo-request" instead of 8 is more explicit.
The -f flag will never match if connection tracking (ip_conntrack) is
active (used by the nat table or state match for example) because the
connection tracking needs to reassemble fragments before the packet
enters the iptables chains.
I would rather DROP unwanted ICMP packets instead of REJECT.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
