--limit 5/m doesn't work

--limit 5/m doesn't work

[Andy Samuel]

Dear All

I have this rule :
iptables -A INPUT -i eth0 -m limit --limit 5/m --limit-burst 5 -j ACCEPT

When I tried to ping my Linux box from a Windows box, :
ping -t 192.168.12.1 

The reply always come within less than 1 ms.
I'm actually expecting many timeouts because iptables would drop my
package, but the reply always come within less than 1 ms and no timeouts
at all.
Am I expecting something wrong ?

Thank you all in advance.
Andy

Re: --limit 5/m doesn't work

[ASHISH]

The rule that you have mentioned will "Accept" the first five matches.
This does not specify any condition  about dropping the packets. And
after first five packets each second, rest packets will not match this
rule, so they will jump to next rule. In order to drop these packets
(your desire as per your mail),  the next rule should be used to drop
them. Take a look at this example :-

$IPTABLES -A icmp_packets -p icmp --icmp-type 8 -m limit --limit
6/minute --limit-burst 5 -j ACCEPT
$IPTABLES -A icmp_packets -p icmp --icmp-type 8 -j DROP

A combination of these two rules will help you in your cause. The
second rule drop all the packets that fail the first rule.

These type of confusions can be better analysed by logging the packets
with some preferred prefix.

Hope it helps you.

On Wed, 23 Mar 2005 09:56:35 +0700, Andy Samuel <anci@centrin.net.id> wrote:
> Dear All
>
> I have this rule :
> iptables -A INPUT -i eth0 -m limit --limit 5/m --limit-burst 5 -j ACCEPT
>
> When I tried to ping my Linux box from a Windows box, :
> ping -t 192.168.12.1
>
> The reply always come within less than 1 ms.
> I'm actually expecting many timeouts because iptables would drop my
> package, but the reply always come within less than 1 ms and no timeouts
> at all.
> Am I expecting something wrong ?
>
> Thank you all in advance.
> Andy
>
>

--
cheers
Ashish


-- 
cheers
Ashish

Re: --limit 5/m doesn't work

[Jason Opperisano]

On Wed, 2005-03-23 at 03:21, ASHISH wrote:
> The rule that you have mentioned will "Accept" the first five matches.

to split hairs here--the way the OP has the rule written:

iptables -A INPUT -i eth0 -m limit --limit 5/m --limit-burst 5 -j ACCEPT

it will actually accept the first 10 packets, the limit of 5 + the burst
of 5--then the limit will enforce for 5 minutes.

-j

--
"Have you ever been in a police car?
 Not in the front..."
	--The Simpsons

Re: --limit 5/m doesn't work

[Robert P. J. Day]

On Wed, 23 Mar 2005, Jason Opperisano wrote:

> On Wed, 2005-03-23 at 03:21, ASHISH wrote:
> > The rule that you have mentioned will "Accept" the first five matches.
>
> to split hairs here--the way the OP has the rule written:
>
> iptables -A INPUT -i eth0 -m limit --limit 5/m --limit-burst 5 -j ACCEPT
>
> it will actually accept the first 10 packets, the limit of 5 + the burst
> of 5--then the limit will enforce for 5 minutes.

huh?  i'm pretty sure that's not true, as i remember figuring this out
once upon a time.  i'll go back to my notes but, as i *remember* it,
it's easiest to think in terms of tokens.  "limit-burst" means you get
that many tokens with which to "pay" to accept incoming packets.  if
you start with a limit burst of, say, 20, then you can accept the
first 20 packets, regardless of how fast they arrive -- they just cost
you all of your tokens almost immediately.

the "limit" of 5/m means that you are replenished with another token
at that rate -- effectively every 12 seconds -- but only up to your
limit-burst maximum of 20.

what this means is that, if you're getting just hammered, when you
start, you'll accept the first 20 packets and, after that, another one
every 12 seconds.  if things quiet down, then you're allowed to build
up your reserve of tokens again, but only up to your burst-limit.

i actually set up a set of rules once and *watched* this happen.

does that make sense?

rday

Re: --limit 5/m doesn't work

[Jason Opperisano]

On Wed, 2005-03-23 at 08:59, Robert P. J. Day wrote:
> huh?  i'm pretty sure that's not true, as i remember figuring this out
> once upon a time.  i'll go back to my notes but, as i *remember* it,
> it's easiest to think in terms of tokens.  "limit-burst" means you get
> that many tokens with which to "pay" to accept incoming packets.  if
> you start with a limit burst of, say, 20, then you can accept the
> first 20 packets, regardless of how fast they arrive -- they just cost
> you all of your tokens almost immediately.
> 
> the "limit" of 5/m means that you are replenished with another token
> at that rate -- effectively every 12 seconds -- but only up to your
> limit-burst maximum of 20.
> 
> what this means is that, if you're getting just hammered, when you
> start, you'll accept the first 20 packets and, after that, another one
> every 12 seconds.  if things quiet down, then you're allowed to build
> up your reserve of tokens again, but only up to your burst-limit.
> 
> i actually set up a set of rules once and *watched* this happen.
> 
> does that make sense?
> 
> rday

true that.

-j

--
"'Wet Cement' - is there any sweeter sign?  Maybe 'High Voltage.'"
	--The Simpsons

Re: --limit 5/m doesn't work

[ASHISH]

I believe that's true. Even i did check that through logging when was
about to present this to my students in network security course. This
is coarsely analogous to a tap that leaks in a bucket every fixed
amount of time in order to fill it, but the bucket rejects the new
drops when it is full.


On Wed, 23 Mar 2005 08:59:11 -0500 (EST), Robert P. J. Day
<rpjday@mindspring.com> wrote:
> On Wed, 23 Mar 2005, Jason Opperisano wrote:
> 
> > On Wed, 2005-03-23 at 03:21, ASHISH wrote:
> > > The rule that you have mentioned will "Accept" the first five matches.
> >
> > to split hairs here--the way the OP has the rule written:
> >
> > iptables -A INPUT -i eth0 -m limit --limit 5/m --limit-burst 5 -j ACCEPT
> >
> > it will actually accept the first 10 packets, the limit of 5 + the burst
> > of 5--then the limit will enforce for 5 minutes.
> 
> huh?  i'm pretty sure that's not true, as i remember figuring this out
> once upon a time.  i'll go back to my notes but, as i *remember* it,
> it's easiest to think in terms of tokens.  "limit-burst" means you get
> that many tokens with which to "pay" to accept incoming packets.  if
> you start with a limit burst of, say, 20, then you can accept the
> first 20 packets, regardless of how fast they arrive -- they just cost
> you all of your tokens almost immediately.
> 
> the "limit" of 5/m means that you are replenished with another token
> at that rate -- effectively every 12 seconds -- but only up to your
> limit-burst maximum of 20.
> 
> what this means is that, if you're getting just hammered, when you
> start, you'll accept the first 20 packets and, after that, another one
> every 12 seconds.  if things quiet down, then you're allowed to build
> up your reserve of tokens again, but only up to your burst-limit.
> 
> i actually set up a set of rules once and *watched* this happen.
> 
> does that make sense?
> 
> rday
> 
> 


-- 
cheers
Ashish

Re: --limit 5/m doesn't work

[Grant Taylor]

(I'll try replying to the mail list so others can see this too.)

Andy, something to keep in is that the limit that is in place is an average of 5 packets in 60 seconds, thus a packet could be matched every 12 seconds.  Something else to keep in mind is that this rule will only match based on the criteria you give it, thus if you don't have your default policy set to DROP or an explicit rule to drop the packets they will always accept by default.  According to the man page limit will support inverse matches but I can not get it to work so give it a try as follows:

iptables -A INPUT -i eth0 -m limit ! --limit 5/m --limit-burst 5 -j DROP

If that does not work you will need to do something like this:

iptables -A INPUT -i eth0 -m limit --limit 5/m --limit-burst 5 -j ACCEPT
iptables -A INPUT -i eth0 -j DROP

Alternatively you could make a new chain and do something like this.

iptables -N NewChain
iptables -A INPUT -i eth0 -j NewChain
iptables -A NewChain -i eth0 -m limit --limit 5/m --limit-burst 5 -j RETURN
# Put any additional match limits you want here that you want to use the default below on.
iptables -A NewChain -j DROP

In this scenario you could have other limits that you wanted to apply between the 3rd and 4th line.  You pass (all) traffic to the NewChain cain of rules and any thing that is acceptable will be returned back to the INPUT chain and continue processing from there.  You will then have a default action of DROP in the NewCahin if they packets are not explicitly RETURNed.



Grant. . . . 

Andy Samuel wrote:

> Dear All
> 
> I have this rule :
> iptables -A INPUT -i eth0 -m limit --limit 5/m --limit-burst 5 -j ACCEPT
> 
> When I tried to ping my Linux box from a Windows box, :
> ping -t 192.168.12.1 
> 
> The reply always come within less than 1 ms.
> I'm actually expecting many timeouts because iptables would drop my
> package, but the reply always come within less than 1 ms and no timeouts
> at all.
> Am I expecting something wrong ?
> 
> Thank you all in advance.
> Andy

Re: --limit 5/m doesn't work

[Robert P. J. Day]

On Wed, 23 Mar 2005, ASHISH wrote:

> I believe that's true. Even i did check that through logging when
> was about to present this to my students in network security course.
> This is coarsely analogous to a tap that leaks in a bucket every
> fixed amount of time in order to fill it, but the bucket rejects the
> new drops when it is full.

and if you were a statistician, well, there's be an "urn" and some
balls involved, wouldn't there?

rday