HPE Community
Operating System - Linux
1828863 Members
2425 Online
109985 Solutions
New Discussion

Re: Question about iptables limit match

 
debian111
Regular Advisor

‎09-26-2006 05:11 AM

‎09-26-2006 05:11 AM

Question about iptables limit match

Hi , I have two firewall scripts first and second. When I run FIRST my firewall response on every ping request, and rule
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -j DROP
does not working.

when I run SECOND the above rule works propery.
I really do not know what is wrong with my first script and why above rule does not working. As you can see the second script is part of first. Just look at these scripts and if you know, and you can see what is wrong write it down.
Thanks

I did
iptables -F
iptables -X for first,

and then run second, and then above rule works


#################### FIRST ###################
iptables -F
iptables -t nat -F
iptables -t mangle -F

iptables -X
iptables -t nat -X
iptables -t mangle -X

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -s 127.0.0.1/255.0.0.0 -i eth1 -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1/255.0.0.0 -o eth1 -j ACCEPT

iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

iptables -A INPUT -p icmp -s 127.0.0.1 -i eth1 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT

##################### FIRST ###################


####################### SECOND ###############

iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -j DROP

##################### SECOND #################




Thanks
0 Kudos
6 REPLIES 6
Steven E. Protter
Exalted Contributor

‎09-26-2006 05:25 AM

‎09-26-2006 05:25 AM

Re: Question about iptables limit match

Shalom,

run iptables -L after running the first script. iptables essentially reads it sections top to bottom. You may see a confict, but in essense, last rule wins.

You may want to reverse the order of the two icmp statements and see if you do better.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
debian111
Regular Advisor

‎09-26-2006 06:00 AM

‎09-26-2006 06:00 AM

Re: Question about iptables limit match

I tryed all,
I first run script FIRST try rules ( they does not working ) then
iptables -F
iptables -X
and thed SECOND script, there is no influence of first script to second, they are independent of each other.
Just one scrip in time of testing.
REgards
0 Kudos
Ivan Ferreira
Honored Contributor

‎09-26-2006 08:51 AM

‎09-26-2006 08:51 AM

Re: Question about iptables limit match

From where are you testing the ping? If localhost, then there is the problem, because the rules are checked in order, and localhost in FIRST has ACCEPT as rule.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
kcpant
Trusted Contributor

‎09-26-2006 04:52 PM

‎09-26-2006 04:52 PM

Re: Question about iptables limit match

Hi Debian111,

Easiest way to trece what's wrong is, comment out (put # before the rule) one rule at a time and then run the script. You will be able to find out exactly which rule is allowing ICMP requests without limit.

If you are pinging from local machine, no limit will work, because you have accpted all input & output on localhost.
PreSales Specialist
0 Kudos
debian111
Regular Advisor

‎09-26-2006 10:14 PM

‎09-26-2006 10:14 PM

Re: Question about iptables limit match

I put second script at begining of firts script ang got desired results.

Regards
0 Kudos
debian111
Regular Advisor

‎09-26-2006 10:15 PM

‎09-26-2006 10:15 PM

Re: Question about iptables limit match

Thanks
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.