iptables and limit module
Hi all! I'm new in the forum, and i'm a newbie in the world of netfilter/iptables.
I've read an article about iptables and rate limit module:
Quote:
Code:
iptables -A INPUT -p ICMP --icmp-type echo-request -m limit --limit 1/minute --limit-burst 5 -j ACCEPT
The firewall will let the first 5 packets in in the first minute, thanks to -limit-burst 5; this means, however, that the packets/minute now is 5, so any further packets are blocked until packets/minute = 1, i.e. 5 minutes later. In the sixth minute, packets/minute will be 5/6 < 1, so another ping request will be let in. When the extra ping request is admitted, the ratio becomes 6/6 = 1 again, and packets are DROPped again until the next minute.
Now i have some problems in understanding how it works.
For example:
I want ping google.com in this way:
the kernel firewall permits to send the first 5 packet to google.com (--limit-burst 5) and then it blocks the remaining packets for 5 minutes. At sixth minute (because i wish a limit rate equal to 1/minute: --limit 1/minute) one packet can send to google again. And so on.
So my rule should be:
Code:
iptables -A OUTPUT -d url_of_google -p icmp --icmp-type echo-request -m limit --limit 1/minute --limit-burst 5 -j ACCEPT
In this way, if i digit
Code:
ping -f url_of_gogle
I expect that the first 5 packets are accepted (and so zero '.' will print on the screen) and then for the remaining 5 minutes no one packets will be accepted (and so a long string of '.' will print).
But it doesn't work...
What am I doing wrong?
PS: in man pages of ping we read (about -f option):
Quote:
-f Flood ping. Outputs packets as fast as they come back or one
hundred times per second, whichever is more. For every
ECHO_REQUEST sent a period ``.'' is printed, while for every
ECHO_REPLY received a backspace is printed. This provides a
rapid display of how many packets are being dropped.
