topic Re: Question about iptables limit match in Operating System - Linux

Question about iptables limit match

debian111 — Tue, 26 Sep 2006 12:11:53 GMT

Hi , I have two firewall scripts first and second. When I run FIRST my firewall response on every ping request, and rule
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -j DROP
does not working.

when I run SECOND the above rule works propery.
I really do not know what is wrong with my first script and why above rule does not working. As you can see the second script is part of first. Just look at these scripts and if you know, and you can see what is wrong write it down.
Thanks

I did
iptables -F
iptables -X for first,

and then run second, and then above rule works

#################### FIRST ###################
iptables -F
iptables -t nat -F
iptables -t mangle -F

iptables -X
iptables -t nat -X
iptables -t mangle -X

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -s 127.0.0.1/255.0.0.0 -i eth1 -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1/255.0.0.0 -o eth1 -j ACCEPT

iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

iptables -A INPUT -p icmp -s 127.0.0.1 -i eth1 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT

##################### FIRST ###################

####################### SECOND ###############

iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -j DROP

##################### SECOND #################

Thanks

Re: Question about iptables limit match

Steven E. Protter — Tue, 26 Sep 2006 12:25:20 GMT

Shalom,

run iptables -L after running the first script. iptables essentially reads it sections top to bottom. You may see a confict, but in essense, last rule wins.

You may want to reverse the order of the two icmp statements and see if you do better.

SEP

Re: Question about iptables limit match

debian111 — Tue, 26 Sep 2006 13:00:15 GMT

I tryed all,
I first run script FIRST try rules ( they does not working ) then
iptables -F
iptables -X
and thed SECOND script, there is no influence of first script to second, they are independent of each other.
Just one scrip in time of testing.
REgards

Re: Question about iptables limit match

Ivan Ferreira — Tue, 26 Sep 2006 15:51:33 GMT

From where are you testing the ping? If localhost, then there is the problem, because the rules are checked in order, and localhost in FIRST has ACCEPT as rule.

Re: Question about iptables limit match

kcpant — Tue, 26 Sep 2006 23:52:10 GMT

Hi Debian111,

Easiest way to trece what's wrong is, comment out (put # before the rule) one rule at a time and then run the script. You will be able to find out exactly which rule is allowing ICMP requests without limit.

If you are pinging from local machine, no limit will work, because you have accpted all input & output on localhost.

Re: Question about iptables limit match

debian111 — Wed, 27 Sep 2006 05:14:22 GMT

I put second script at begining of firts script ang got desired results.

Regards

Re: Question about iptables limit match

debian111 — Wed, 27 Sep 2006 05:15:03 GMT

Thanks