> > Hello, > can you send > output of the iptables-save? Hello, Thanks for your kind attention. Here is the output of iptables-save and the rule sets ``````````````````` #iptables-save # Generated by iptables-save v1.4.6 on Sat Jan 23 12:26:49 2010 *mangle :PREROUTING ACCEPT [2:168] :INPUT ACCEPT [2:168] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2:168] :POSTROUTING ACCEPT [2:168] COMMIT # Completed on Sat Jan 23 12:26:49 2010 # Generated by iptables-save v1.4.6 on Sat Jan 23 12:26:49 2010 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [1:84] :OUTPUT ACCEPT [1:84] COMMIT # Completed on Sat Jan 23 12:26:49 2010 # Generated by iptables-save v1.4.6 on Sat Jan 23 12:26:49 2010 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min -j ACCEPT -A INPUT -i eth0 -p icmp -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Sat Jan 23 12:26:49 2010 `````````````` and here is the script ```````````````` IFACE=eth0 ## Flush all iptables -F iptables -X # Reset the iptables counters iptables -Z iptables -t nat -Z 2>/dev/null iptables -t mangle -Z ## set policy echo -e "\E[33;1m Setting default INPUT/FORWARD/OUTPUT policy to DROP" iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP echo -e "\E[33;1mAllow unlimited traffic on the loopback interface" iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT echo -e "\E[33;1mAllow already established and related" iptables -A INPUT -i $IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT echo -e "\E[33;1mMake sure NEW tcp connections are SYN packets" iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP echo -e "\E[33;1mActivating user rules" # ICMP #Enabling ping so that I can check from outside, but limiting the ping 3/min iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 3/minute -j ACCEPT # Disable ICMP for others iptables -A INPUT -i $IFACE -p icmp -j DROP ```````````````````````````` > > J. Bakshi wrote: > > Dear list, > > > > My firewall policy is default drop. But the limit module is not > > working here. I have the following rules to defeat ping flood > > > > `````````` > > iptables -A INPUT -p icmp -m limit --limit 3/minute -j ACCEPT > > iptables -A INPUT -p icmp -j DROP > > `````````````````` > > and it is not working. The same rule set is working with default > > accept policy. What modification should I need to make it working > > with drop policy firewall ? > > > > Thanks -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
