Iptables – Restricting ICMP using iptables

icmpiptables

I have the following rule,which i believe will restrict icmp packets to 1/s. 

:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7:988]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -m limit --limit 1/sec -j ACCEPT
-A INPUT -s 11.x.x.71/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 11.x.x.65/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 11.x.x.66/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

But when i ping this host with "ping -i .001 " all the packets are reaching this machine and on

iptables-nvL DROP counter is not incrementing.Whats wrong with this rule

Best Answer

The issue here is that you accept one packet (which implicitly is state NEW and then attempt to apply a limit rule. The limit probably does work however the RELATED,ESTABLISHED rule later down the line will probably mess things up for you.

You have two options:

  1. Set the related and established rule on a per-protocol basis.
  2. Make ICMP traffic of that type not trackable by state tracking.

Given the tables are there right now...

Set the related and established rule on a per-protocol basis.

iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m tcp -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m udp -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

Make ICMP traffic of that type not trackable by state tracking.

iptables -t raw -I PREROUTING -m icmp -p icmp --icmp-type any -j NOTRACK
Related Topic