Limit rule for ICMP not working properly?

Limit rule for ICMP not working properly?

[podo]

Hello all,

I have a problem with the limit module. The goal is to limit the incoming
ICMP echo-requests to max 1/s.
The following rule does it (as example using the INPUT) :

-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT

The above is working fine. But when there is a rule for accepting the
ESTABLISHED packets, the limit does not work:

-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT

With these 2 rules the limit does not work...

Using the "iptables -A INPUT -m state --state ESTABLISHED -p ICMP -j ACCEPT"
and  "watch -d -n 1  iptables -nvL" is showing, that all the ICMP
echo-requests from the same host are being considered ESTABLISHED.

I am not sure, but I think after sending the ICMP echo-reply the session
should be closed. With new echo-request a new session is opened.

Please could somebody confirm, if this behavior is correct ? And if yes
please explain ?

See also:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598513

and from
"http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-7.html
" :

"ESTABLISHED
 A packet which belongs to an existing connection (i.e., a reply 
packet, or outgoing packet on a connection which has seen replies)."

And from "http://www.lug.or.kr/docs/iptables-tutorial/onepage/" :

"The reply packet is considered as being ESTABLISHED, as we have already 
explained. However, we can know for sure that after the ICMP reply, 
there will be absolutely no more legal traffic in the same connection. 
For this reason, the connection tracking entry is destroyed once the 
reply has traveled all the way through the Netfilter structure."

I am using iptables v1.4.14.

Thanks in advance,
Regards,
Podo.

RE: Limit rule for ICMP not working properly?

[podo]

Hi,

the default is DROP:

iptables -L -n -v
Chain INPUT (policy DROP 314 packets, 98684 bytes)
pkts bytes target     prot opt in     out     source
destination
  963 66540 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0
   29  1740 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
   39  2836 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            state ESTABLISHED

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 5384 packets, 387K bytes)
pkts bytes target     prot opt in     out     source
destination

The problem is, that the second rule gets hit, even if it shoud not (my
opinion). ICMP can not be "established". Or ?

I know I could add new rule after the limit - with ICMP reject. This would
probably work. But it should work also without explicit reject for ICMP.


Thanks,
Regards,
Podo.

From: Vishesh kumar [mailto:linuxtovishesh@gmail.com] 
Sent: 05 September, 2013 16:15
To: podo
Cc: netfilter
Subject: Re: Limit rule for ICMP not working properly?

Hi,
Does 2nd rule getting hit . Also where is the REJECT rule ?
iptables -L -n -v
Thanks

On Thu, Jul 18, 2013 at 10:25 PM, podo <podo@hnup.de> wrote:
Hello all,

I have a problem with the limit module. The goal is to limit the incoming
ICMP echo-requests to max 1/s.
The following rule does it (as example using the INPUT) :

-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT

The above is working fine. But when there is a rule for accepting the
ESTABLISHED packets, the limit does not work:

-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT

With these 2 rules the limit does not work...

Using the "iptables -A INPUT -m state --state ESTABLISHED -p ICMP -j ACCEPT"
and  "watch -d -n 1  iptables -nvL" is showing, that all the ICMP
echo-requests from the same host are being considered ESTABLISHED.

I am not sure, but I think after sending the ICMP echo-reply the session
should be closed. With new echo-request a new session is opened.

Please could somebody confirm, if this behavior is correct ? And if yes
please explain ?

See also:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598513

and from
"http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-7.html
" :

"ESTABLISHED
 A packet which belongs to an existing connection (i.e., a reply
packet, or outgoing packet on a connection which has seen replies)."

And from "http://www.lug.or.kr/docs/iptables-tutorial/onepage/" :

"The reply packet is considered as being ESTABLISHED, as we have already
explained. However, we can know for sure that after the ICMP reply,
there will be absolutely no more legal traffic in the same connection.
For this reason, the connection tracking entry is destroyed once the
reply has traveled all the way through the Netfilter structure."

I am using iptables v1.4.14.

Thanks in advance,
Regards,
Podo.


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
http://linuxmantra.com 

Re: Limit rule for ICMP not working properly?

[Phil Oester]

On Thu, Sep 05, 2013 at 04:58:27PM +0200, podo wrote:
> Hi,
> 
> the default is DROP:
> 
> iptables -L -n -v
> Chain INPUT (policy DROP 314 packets, 98684 bytes)
> pkts bytes target     prot opt in     out     source
> destination
>   963 66540 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>    29  1740 ACCEPT     icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
>    39  2836 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            state ESTABLISHED
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target     prot opt in     out     source
> destination
> 
> Chain OUTPUT (policy ACCEPT 5384 packets, 387K bytes)
> pkts bytes target     prot opt in     out     source
> destination
> 
> The problem is, that the second rule gets hit, even if it shoud not (my
> opinion). ICMP can not be "established". Or ?

I think you mean _third_ rule in the above example.  When you successfully
ping the box, an entry is added to /proc/net/nf_conntrack.  Until that
entry expires (30 seconds by default for icmp), then any additional icmp
packet with the same ID will match that conntrack entry and be considered
"established".  

Wait > 30 seconds between (single) pings and you should not see the established
rule hitcount increasing.

Phil

RE: Limit rule for ICMP not working properly?

[podo]

Hi Phil,
Yes, I ment the 3th rule (Established accept).

Please what do you mean by "same ID" ? And is this not exactly the problem ?
nf_conntrack is even not needed, when only the first rule is present:
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT

ICMP should not be tracked as established...
In my opinion the behaviour is not correct. 

Podo

-----Original Message-----
From: Phil Oester [mailto:kernel@linuxace.com] 
Sent: 05 September, 2013 17:12
To: podo
Cc: 'netfilter'
Subject: Re: Limit rule for ICMP not working properly?

On Thu, Sep 05, 2013 at 04:58:27PM +0200, podo wrote:
> Hi,
> 
> the default is DROP:
> 
> iptables -L -n -v
> Chain INPUT (policy DROP 314 packets, 98684 bytes)
> pkts bytes target     prot opt in     out     source
> destination
>   963 66540 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>    29  1740 ACCEPT     icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
>    39  2836 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            state ESTABLISHED
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target     prot opt in     out     source
> destination
> 
> Chain OUTPUT (policy ACCEPT 5384 packets, 387K bytes)
> pkts bytes target     prot opt in     out     source
> destination
> 
> The problem is, that the second rule gets hit, even if it shoud not (my
> opinion). ICMP can not be "established". Or ?

I think you mean _third_ rule in the above example.  When you successfully
ping the box, an entry is added to /proc/net/nf_conntrack.  Until that
entry expires (30 seconds by default for icmp), then any additional icmp
packet with the same ID will match that conntrack entry and be considered
"established".  

Wait > 30 seconds between (single) pings and you should not see the
established
rule hitcount increasing.

Phil

Re: Limit rule for ICMP not working properly?

[Phil Oester]

On Thu, Sep 05, 2013 at 05:43:59PM +0200, podo wrote:
> Hi Phil,
> Yes, I ment the 3th rule (Established accept).
> 
> Please what do you mean by "same ID" ? And is this not exactly the problem ?
> nf_conntrack is even not needed, when only the first rule is present:
> -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT

By "ID" I mean ICMP ID.  Do some testing on your own with something like this:

     while : ; do grep icmp  /proc/net/nf_conntrack ; sleep 1 ; done

while you have a ping going.  You'll note that as long as the ICMP ID (and
src/dst IPs) are identical, only one conntrack entry is utilized.  If you continually
ping, the only update will be the timer refreshing to 30 seconds.  During this time,
you will note your "established" rule increasing.  If you ping 5 times, the established
rule should register 4 hits.  

If you allow the conntrack to expire (by waiting 30 seconds), then the cycle starts
over again.

> ICMP should not be tracked as established...
> In my opinion the behaviour is not correct. 

This is optimal behavior.  Also, without this, DoS attacks against conntrack
would be much simpler.

Phil

Re: Limit rule for ICMP not working properly?

[Humberto Jucá]

Hi,

IMHO, you shouldn't try to limit the packets only with a single ACCEPT
rule (this doesn't work in most cases).
Your "icmp limit" rule isn't limiting anything - only indicates which
icmp-echo frequency will be authorized. So, when authorized by limit
rule, the following icmp-echo sequences will be considered
established.

To set packet limits, make this in a new chain.

iptables -N icmplimit
iptables -A icmplimit -m limit --limit 8/s -j ACCEPT
iptables -A icmplimit -j DROP

iptables -A INPUT -p icmp --icmp-type echo-request -j icmplimit

And it will be best if you use hashlimit.


2013/9/5 podo <podo@hnup.de>:
> Hi Phil,
> Yes, I ment the 3th rule (Established accept).
>
> Please what do you mean by "same ID" ? And is this not exactly the problem ?
> nf_conntrack is even not needed, when only the first rule is present:
> -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
>
> ICMP should not be tracked as established...
> In my opinion the behaviour is not correct.
>
> Podo
>
> -----Original Message-----
> From: Phil Oester [mailto:kernel@linuxace.com]
> Sent: 05 September, 2013 17:12
> To: podo
> Cc: 'netfilter'
> Subject: Re: Limit rule for ICMP not working properly?
>
> On Thu, Sep 05, 2013 at 04:58:27PM +0200, podo wrote:
>> Hi,
>>
>> the default is DROP:
>>
>> iptables -L -n -v
>> Chain INPUT (policy DROP 314 packets, 98684 bytes)
>> pkts bytes target     prot opt in     out     source
>> destination
>>   963 66540 ACCEPT     tcp  --  *      *       0.0.0.0/0
>> 0.0.0.0/0
>>    29  1740 ACCEPT     icmp --  *      *       0.0.0.0/0
>> 0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
>>    39  2836 ACCEPT     all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0            state ESTABLISHED
>>
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target     prot opt in     out     source
>> destination
>>
>> Chain OUTPUT (policy ACCEPT 5384 packets, 387K bytes)
>> pkts bytes target     prot opt in     out     source
>> destination
>>
>> The problem is, that the second rule gets hit, even if it shoud not (my
>> opinion). ICMP can not be "established". Or ?
>
> I think you mean _third_ rule in the above example.  When you successfully
> ping the box, an entry is added to /proc/net/nf_conntrack.  Until that
> entry expires (30 seconds by default for icmp), then any additional icmp
> packet with the same ID will match that conntrack entry and be considered
> "established".
>
> Wait > 30 seconds between (single) pings and you should not see the
> established
> rule hitcount increasing.
>
> Phil
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html