Find the answer to your Linux question:
Results 1 to 3 of 3
Hi all! I'm new in the forum, and i'm a newbie in the world of netfilter/iptables. I've read an article about iptables and rate limit module: Code: iptables -A INPUT ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. 04-08-2010 #1
    np2k
    np2k is offline
    Just Joined!
    Join Date
    Apr 2010
    Posts
    9

    iptables and limit module

    Hi all! I'm new in the forum, and i'm a newbie in the world of netfilter/iptables.

    I've read an article about iptables and rate limit module:
    Code:
    iptables -A INPUT -p ICMP --icmp-type echo-request -m limit --limit 1/minute --limit-burst 5 -j ACCEPT
    The firewall will let the first 5 packets in in the first minute, thanks to -limit-burst 5; this means, however, that the packets/minute now is 5, so any further packets are blocked until packets/minute = 1, i.e. 5 minutes later. In the sixth minute, packets/minute will be 5/6 < 1, so another ping request will be let in. When the extra ping request is admitted, the ratio becomes 6/6 = 1 again, and packets are DROPped again until the next minute.
    Now i have some problems in understanding how it works.
    For example:
    I want ping google.com in this way:
    the kernel firewall permits to send the first 5 packet to google.com (--limit-burst 5) and then it blocks the remaining packets for 5 minutes. At sixth minute (because i wish a limit rate equal to 1/minute: --limit 1/minute) one packet can send to google again. And so on.
    So my rule should be:

    Code:
    iptables -A OUTPUT -d url_of_google -p icmp --icmp-type echo-request -m limit --limit 1/minute --limit-burst 5 -j ACCEPT
    In this way, if i digit

    Code:
    ping -f url_of_gogle
    I expect that the first 5 packets are accepted (and so zero '.' will print on the screen) and then for the remaining 5 minutes no one packets will be accepted (and so a long string of '.' will print).

    But it doesn't work...

    What am I doing wrong?

    PS: in man pages of ping we read (about -f option):
    -f Flood ping. Outputs packets as fast as they come back or one
    hundred times per second, whichever is more. For every
    ECHO_REQUEST sent a period ``.'' is printed, while for every
    ECHO_REPLY received a backspace is printed. This provides a
    rapid display of how many packets are being dropped.
    Reply With Quote Reply With Quote
  2. 04-08-2010 #2
    claudiu
    claudiu is offline
    Just Joined! claudiu's Avatar
    Join Date
    Dec 2009
    Location
    Bucharest, Romania
    Posts
    16
    Shouldn't you use echo-reply instead echo-request?

    echo-request is for incoming pings
    echo-reply is for outgoing pings
    At least for iptables...
    Reply With Quote Reply With Quote
  3. 04-10-2010 #3
    Lazydog
    Lazydog is offline
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,629
    Quote Originally Posted by np2k View Post
    Hi all! I'm new in the forum, and i'm a newbie in the world of netfilter/iptables.

    I've read an article about iptables and rate limit module:


    Now i have some problems in understanding how it works.
    Take a look at this TUTORIAL



    Quote Originally Posted by claudiu View Post
    Shouldn't you use echo-reply instead echo-request?

    echo-request is for incoming pings
    echo-reply is for outgoing pings
    At least for iptables...
    echo-request is right as he is sending the ping packets and they are requests

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules