limit extension problem

limit extension problem

[Michele Petrazzo - Unipex srl]

Hi all,
I'm on debian etch with the default kernel (iptables 1.3.6 and 2.6.18).

I'm trying the limit extension, but the invert flag doesn't work like
the man page say:
"""
iptables -t filter -A FORWARD -m mark --mark 2 -p icmp --icmp-type 8 -m
limit ! --limit 20/min -j ACCEPT
iptables v.1.3.6: limit does not support invert
"""
What I want it's to "limit" the log for icmp protocol to 20/minute

What can I do?

Thanks,
Michele

Re: limit extension problem

[Franck Joncourt]

[-- Attachment #1: Type: text/plain, Size: 868 bytes --]

On Mon, Jul 16, 2007 at 06:51:34PM +0200, Michele Petrazzo - Unipex srl wrote:
> Hi all,
> I'm on debian etch with the default kernel (iptables 1.3.6 and 2.6.18).
>
> I'm trying the limit extension, but the invert flag doesn't work like
> the man page say:
> """
> iptables -t filter -A FORWARD -m mark --mark 2 -p icmp --icmp-type 8 -m
> limit ! --limit 20/min -j ACCEPT
> iptables v.1.3.6: limit does not support invert
> """
> What I want it's to "limit" the log for icmp protocol to 20/minute
>

Is that what you are looking for :

iptables -A FORWARD -p icmp --icmp-type echo-request -m mark --mark 2 -j ACCEPT
iptables -A FORWARD -p icmp -m limit --limit 20/min -j LOG_ICMP

-- 
Franck Joncourt
http://www.debian.org - http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: limit extension problem

[Michele Petrazzo - Unipex srl]

[-- Attachment #1: Type: text/plain, Size: 484 bytes --]

Franck Joncourt wrote:
> Is that what you are looking for :
> 
> iptables -A FORWARD -p icmp --icmp-type echo-request -m mark --mark 2 -j ACCEPT
> iptables -A FORWARD -p icmp -m limit --limit 20/min -j LOG_ICMP

Not really.
I want to log only 20 ping forwarded on a minute. May be that I need to
invert those lines? I think yes!

iptables -A FORWARD -p icmp -m limit --limit 20/min -j LOG_ICMP
iptables -A FORWARD -p icmp --icmp-type echo-request -m mark --mark 2 -j 
ACCEPT

Michele

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3273 bytes --]

Re: limit extension problem

[Franck Joncourt]

[-- Attachment #1: Type: text/plain, Size: 797 bytes --]

On Mon, Jul 16, 2007 at 08:43:00PM +0200, Michele Petrazzo - Unipex srl wrote:

> I want to log only 20 ping forwarded on a minute. 
>
> iptables -A FORWARD -p icmp -m limit --limit 20/min -j LOG_ICMP
> iptables -A FORWARD -p icmp --icmp-type echo-request -m mark --mark 2 -j 
> ACCEPT

iptables -A FORWARD -p icmp --icmp-type echo-request \
		-m limit --limit 20/min -j LOG_ICMP

In your first email, I thought you wanted to accept all echo-request
without logging, but log other icmp types.

What you wrote will log all icmp types, and not only echo-request.

Why are you playing with _mark_ in your rules ?

-- 
Franck Joncourt
http://www.debian.org - http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]