Find the answer to your Linux question:
Results 1 to 3 of 3
Hi all! I'm new in the forum, and i'm a newbie in the world of netfilter/iptables. I've read an article about iptables and rate limit module: Code: iptables -A INPUT ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2010
    Posts
    9

    iptables and limit module


    Hi all! I'm new in the forum, and i'm a newbie in the world of netfilter/iptables.

    I've read an article about iptables and rate limit module:
    Code:
    iptables -A INPUT -p ICMP --icmp-type echo-request -m limit --limit 1/minute --limit-burst 5 -j ACCEPT
    The firewall will let the first 5 packets in in the first minute, thanks to -limit-burst 5; this means, however, that the packets/minute now is 5, so any further packets are blocked until packets/minute = 1, i.e. 5 minutes later. In the sixth minute, packets/minute will be 5/6 < 1, so another ping request will be let in. When the extra ping request is admitted, the ratio becomes 6/6 = 1 again, and packets are DROPped again until the next minute.
    Now i have some problems in understanding how it works.
    For example:
    I want ping google.com in this way:
    the kernel firewall permits to send the first 5 packet to google.com (--limit-burst 5) and then it blocks the remaining packets for 5 minutes. At sixth minute (because i wish a limit rate equal to 1/minute: --limit 1/minute) one packet can send to google again. And so on.
    So my rule should be:

    Code:
    iptables -A OUTPUT -d url_of_google -p icmp --icmp-type echo-request -m limit --limit 1/minute --limit-burst 5 -j ACCEPT
    In this way, if i digit

    Code:
    ping -f url_of_gogle
    I expect that the first 5 packets are accepted (and so zero '.' will print on the screen) and then for the remaining 5 minutes no one packets will be accepted (and so a long string of '.' will print).

    But it doesn't work...

    What am I doing wrong?

    PS: in man pages of ping we read (about -f option):
    -f Flood ping. Outputs packets as fast as they come back or one
    hundred times per second, whichever is more. For every
    ECHO_REQUEST sent a period ``.'' is printed, while for every
    ECHO_REPLY received a backspace is printed. This provides a
    rapid display of how many packets are being dropped.

  2. #2
    Just Joined! claudiu's Avatar
    Join Date
    Dec 2009
    Location
    Bucharest, Romania
    Posts
    16
    Shouldn't you use echo-reply instead echo-request?

    echo-request is for incoming pings
    echo-reply is for outgoing pings
    At least for iptables...

  3. #3
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by np2k View Post
    Hi all! I'm new in the forum, and i'm a newbie in the world of netfilter/iptables.

    I've read an article about iptables and rate limit module:


    Now i have some problems in understanding how it works.
    Take a look at this TUTORIAL



    Quote Originally Posted by claudiu View Post
    Shouldn't you use echo-reply instead echo-request?

    echo-request is for incoming pings
    echo-reply is for outgoing pings
    At least for iptables...
    echo-request is right as he is sending the ping packets and they are requests

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •