IPTables Issue - Module Limit & Length

**TomBoy123** · 12-29-2008

Hello,

I have been currently experimenting with IPTables and filtering out certain packets with certain overall udp length.

For example;

iptables -A INPUT -p udp -m length --length 43 -j DROP

That above rule works perfectly, dropping all packets with the overall length of 43. Problem is, now say I want to limit them to one a minute on a per ip basis (per ip basis is default for all iptables basically). I do the following rule;

iptables -A INPUT -p udp -m length --length 43 -m limit --limit=1/minute -j DROP

This does not work. This rule does not limit the amount of udp packets overall 43 length accepted to one a minute on a per ip basis.

Does anyone know what I am doing wrong? Any help would be appreciated.

Thanks,
TomBoy123

**TomBoy123** · 12-30-2008

*Bump. Any ideas anyone?

**Lazydog** · 12-31-2008

You rule is saying limit 1 a minute and drop it.
Because I don't know your rules I would suggest doing your checking as follows:

Create a subchain for the checking something like this:

Code:

iptables -A INPUT -p udp -m length --length 43 -j UDPCHECK
iptables -N UDPCHECK
iptables -A UDPCHECK -p udp -m length --length 43 -m limit --limit=1/minute -j ACCEPT
iptables -A UDPCHECK -j DROP

If you need the packet to continue to be checked by iptables then change 'ACCEPT' to 'RETURN'

Thread Tools

Display