I am trying to block icmp pings from a server if the packet count is greater than 2 per second (packet count reduced for testing).
I tried these 2 rules separately but they don't seem to help:
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --update --seconds 1 --hitcount 2 -j DROP
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT --match limit --limit 2/s --limit-burst 2
wht's wrong with these rules ?
I am pinging form another server using below command but the ping continues to get replies –
ping -n -i 0.2 192.168.2.86
also when I check iptables -nvL output – the packet count for the rule is not increasing …
Machine used is centos 6.8
Some Progress:
I added a default drop rule at the end of table:
iptables -A INPUT -p icmp -m icmp -j DROP
and then adding this rule dropped pings that exceeded the limit
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 2/second -j ACCEPT -m comment --comment "icmprule1"
still not able to block the server completely.
Best Answer
Here it goes, adding a secondary ICMPSCAN chain (and putting the jump rule in first position of INPUT chain):
Note: both set/update rules could be set instead in INPUT without the secondary, but I prefer to put such rules in distinct chains.
Note2: an additional rule after --set could be added to log the event...
dynamic blacklisting:
Now, to add a permanent dynamic blacklist based on recent hitcount trigger, we can take advantage of ipset feature. ipset is available for centos 6.x , and iptables is ipset aware, but you may need to install it first.
Here the iptables/ipset rules to match your need:
You can list the current contents of banned list using ipset list, for example:
and manage the set list, for example to remove an ip address like:
See also this page: http://www.linuxjournal.com/content/advanced-firewall-configurations-ipset