~ IPTables : Limit Incoming UDP Packets With a Certain Length ~

[TomBoy123]

Hello,

I am currently trying to limit incoming UDP length 20 packets on a per IP basis to 5 a second using IPTables on a Linux machine (CentOS 5.2).

Basically, if an IP is sending more than 5 length 20 UDP packet a second to the local machine, I would like the machine to drop the excess length 20 packets coming from that IP.

The modules that should work perfectly for this type of "rule set" are;

- Limiting module
- Length module

Both of which are installed / compiled with the kernel/IPTables correctly and functioning.

I have tried several rule sets, and they all seem to not fully work. Either they drop all UDP length 20 packets going to the local machine or allow all them through.

Below is one of the rule sets I use, and it is not working. Any ideas what the issue could be?

Code:

iptables -N CHECK1
iptables -A INPUT -p udp -m length --length 20 -j CHECK1
iptables -A CHECK1 -p udp -m length --length 20 -m limit --limit 5/second -j ACCEPT
iptables -A CHECK1 -j DROP

Any help would be appreciated. Thanks ahead of time!

[TomBoy123]

Any ideas?

[Lazydog]

Have you tried

Code:

--length 20:1500

This should include all packet 20 and larger. your rule was saying only packet lengths of 20.