Jim, Thanks for the tip!. I just noticed that I missed the 'J'. Ive rewritten the rules as you advised. Regards edmund -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Jim Carter Sent: Thursday, October 16, 2003 12:36 AM To: Edmund Turner Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: ICMP floods On Wed, 15 Oct 2003, Edmund Turner wrote: > Im tyring to create a proper ICMP chain that will blocked ICMP flooding > by Viruses and DOS attacks. Would the ruleset below be sufficient? > -- snip -- > /sbin/iptables -A ICMP -m limit -p ICMP -i eth2 --limit 1 --limit-burst 10 > /sbin/iptables -A ICMP -m limit -p ICMP -i eth1 --limit 1 --limit-burst 10 > /sbin/iptables -A ICMP -m limit -p ICMP -i eth0 --limit 1 --limit-burst 10 You need "-j SOMETHING" -- the limit module would bypass the -j action if it happened too often. The man page doesn't say the default unit for --limit (but it says the default is 3/hour which is kind of infrequent); I would put in an explicit unit. Also I doubt you really need separate rate limiting on each interface. I see you have ACCEPT rules for every different type of ICMP packet. Here's a real simple rule which does almost the same thing: iptables -t filter -A FORWARD -p ICMP -m limit --limit 2/second \ --limit-burst 10 -j ACCEPT iptables -t filter -A FORWARD -p ICMP -m limit --limit 4/minute -j LOG iptables -t filter -A FORWARD -P ICMP -j DROP (Or you could put this in a separate chain like your example: probably just as efficient if not more so, and more readable.) Hope this helps! James F. Carter Voice 310 825 2897 FAX 310 206 6673 UCLA-Mathnet; 6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555 Email: jimc@xxxxxxxxxxxxx http://www.math.ucla.edu/~jimc (q.v. for PGP key)
