On 22.01.2010 04:25, netfilter-owner@xxxxxxxxxxxxxxx wrote: > Dear list, > > My firewall policy is default drop. But the limit module is not working > here. I have the following rules to defeat ping flood > > `````````` > iptables -A INPUT -p icmp -m limit --limit 3/minute -j ACCEPT > iptables -A INPUT -p icmp -j DROP > `````````````````` > and it is not working. The same rule set is working with default accept > policy. What modification should I need to make it working with drop > policy firewall ? > > Thanks > > *filter > :INPUT DROP [0:0] > :FORWARD DROP [0:0] > :OUTPUT DROP [0:0] > -A INPUT -i lo -j ACCEPT > -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -i eth0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP > -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min -j ACCEPT > -A INPUT -i eth0 -p icmp -j DROP > -A OUTPUT -o lo -j ACCEPT > -A OUTPUT -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT > COMMIT > # Completed on Sat Jan 23 12:26:49 2010 Hello, Actually you should not need that '-A INPUT -i eth0 -p icmp -j DROP' rule, as the DROP policy should catch it. As i've been reading complains about the limit match being broken for years, i suggest trying the 'hashlimit' match (maybe without the --hashlimit-mode option). best regards Mart -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
