On Sat, 23 Jan 2010 10:45:56 +0100 Mart Frauenlob <mart.frauenlob@xxxxxxxxx> wrote: > On 22.01.2010 04:25, netfilter-owner@xxxxxxxxxxxxxxx wrote: > > Dear list, > > > > My firewall policy is default drop. But the limit module is not > > working here. I have the following rules to defeat ping flood > > > > `````````` > > iptables -A INPUT -p icmp -m limit --limit 3/minute -j ACCEPT > > iptables -A INPUT -p icmp -j DROP > > `````````````````` > > and it is not working. The same rule set is working with default > > accept policy. What modification should I need to make it working > > with drop policy firewall ? > > > > Thanks > > > > > *filter > > :INPUT DROP [0:0] > > :FORWARD DROP [0:0] > > :OUTPUT DROP [0:0] > > -A INPUT -i lo -j ACCEPT > > -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > > -A INPUT -i eth0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m > > state --state NEW -j DROP -A INPUT -p icmp -m icmp --icmp-type 8 -m > > limit --limit 3/min -j ACCEPT -A INPUT -i eth0 -p icmp -j DROP > > -A OUTPUT -o lo -j ACCEPT > > -A OUTPUT -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT > > COMMIT > > # Completed on Sat Jan 23 12:26:49 2010 > > > Hello, > > Actually you should not need that '-A INPUT -i eth0 -p icmp -j DROP' > rule, as the DROP policy should catch it. > As i've been reading complains about the limit match being broken for > years, i suggest trying the 'hashlimit' match (maybe without the > --hashlimit-mode option). > Hello Mart, Thanks for your suggestion and hint. Now I have modified the rule set as ` ` ` iptables -A INPUT -p icmp --icmp-type echo-request -m hashlimit \ --hashlimit 3/minute --hashlimit-name secureping -j ACCEPT ` ` ` but no luck yet :-( Is there anything wrong in my config ? with regards -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
