I have the following rule,which i believe will restrict icmp packets to 1/s.
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7:988]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -m limit --limit 1/sec -j ACCEPT
-A INPUT -s 11.x.x.71/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 11.x.x.65/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 11.x.x.66/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
But when i ping this host with "ping -i .001 " all the packets are reaching this machine and on
iptables-nvL DROP counter is not incrementing.Whats wrong with this rule
Best Answer
The issue here is that you accept one packet (which implicitly is state NEW and then attempt to apply a limit rule. The limit probably does work however the
RELATED,ESTABLISHED
rule later down the line will probably mess things up for you.You have two options:
Given the tables are there right now...
Set the related and established rule on a per-protocol basis.
Make ICMP traffic of that type not trackable by state tracking.