Re: Limit rule for ICMP not working properly?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Phil Oester <kernel@linuxace.com>
To: podo <podo@hnup.de>
Cc: 'netfilter' <netfilter@vger.kernel.org>
Subject: Re: Limit rule for ICMP not working properly?
Date: Thu, 5 Sep 2013 08:11:54 -0700	[thread overview]
Message-ID: <20130905151153.GA14774@linuxace.com> (raw)
In-Reply-To: <000901ceaa48$60fe2a40$22fa7ec0$@hnup.de>

On Thu, Sep 05, 2013 at 04:58:27PM +0200, podo wrote:
> Hi,
> 
> the default is DROP:
> 
> iptables -L -n -v
> Chain INPUT (policy DROP 314 packets, 98684 bytes)
> pkts bytes target     prot opt in     out     source
> destination
>   963 66540 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>    29  1740 ACCEPT     icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
>    39  2836 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            state ESTABLISHED
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target     prot opt in     out     source
> destination
> 
> Chain OUTPUT (policy ACCEPT 5384 packets, 387K bytes)
> pkts bytes target     prot opt in     out     source
> destination
> 
> The problem is, that the second rule gets hit, even if it shoud not (my
> opinion). ICMP can not be "established". Or ?

I think you mean _third_ rule in the above example.  When you successfully
ping the box, an entry is added to /proc/net/nf_conntrack.  Until that
entry expires (30 seconds by default for icmp), then any additional icmp
packet with the same ID will match that conntrack entry and be considered
"established".  

Wait > 30 seconds between (single) pings and you should not see the established
rule hitcount increasing.

Phil

next prev parent reply	other threads:[~2013-09-05 15:11 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-07-18 16:55 Limit rule for ICMP not working properly? podo
     [not found] ` <CAKpaJ1wgnikpc9WcwCVgzf45F1Lpwbp9LMr4_2bXk6XYf7nRjw@mail.gmail.com>
2013-09-05 14:58   ` podo
2013-09-05 15:11     ` Phil Oester [this message]
2013-09-05 15:43       ` podo
2013-09-05 18:23         ` Phil Oester
2013-09-06  0:10         ` Humberto Jucá

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130905151153.GA14774@linuxace.com \
    --to=kernel@linuxace.com \
    --cc=netfilter@vger.kernel.org \
    --cc=podo@hnup.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.