* limit extension problem @ 2007-07-16 16:51 Michele Petrazzo - Unipex srl 2007-07-16 18:11 ` Franck Joncourt 0 siblings, 1 reply; 4+ messages in thread From: Michele Petrazzo - Unipex srl @ 2007-07-16 16:51 UTC (permalink / raw) To: netfilter Hi all, I'm on debian etch with the default kernel (iptables 1.3.6 and 2.6.18). I'm trying the limit extension, but the invert flag doesn't work like the man page say: """ iptables -t filter -A FORWARD -m mark --mark 2 -p icmp --icmp-type 8 -m limit ! --limit 20/min -j ACCEPT iptables v.1.3.6: limit does not support invert """ What I want it's to "limit" the log for icmp protocol to 20/minute What can I do? Thanks, Michele ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: limit extension problem 2007-07-16 16:51 limit extension problem Michele Petrazzo - Unipex srl @ 2007-07-16 18:11 ` Franck Joncourt 2007-07-16 18:43 ` Michele Petrazzo - Unipex srl 0 siblings, 1 reply; 4+ messages in thread From: Franck Joncourt @ 2007-07-16 18:11 UTC (permalink / raw) To: netfilter [-- Attachment #1: Type: text/plain, Size: 868 bytes --] On Mon, Jul 16, 2007 at 06:51:34PM +0200, Michele Petrazzo - Unipex srl wrote: > Hi all, > I'm on debian etch with the default kernel (iptables 1.3.6 and 2.6.18). > > I'm trying the limit extension, but the invert flag doesn't work like > the man page say: > """ > iptables -t filter -A FORWARD -m mark --mark 2 -p icmp --icmp-type 8 -m > limit ! --limit 20/min -j ACCEPT > iptables v.1.3.6: limit does not support invert > """ > What I want it's to "limit" the log for icmp protocol to 20/minute > Is that what you are looking for : iptables -A FORWARD -p icmp --icmp-type echo-request -m mark --mark 2 -j ACCEPT iptables -A FORWARD -p icmp -m limit --limit 20/min -j LOG_ICMP -- Franck Joncourt http://www.debian.org - http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: limit extension problem 2007-07-16 18:11 ` Franck Joncourt @ 2007-07-16 18:43 ` Michele Petrazzo - Unipex srl 2007-07-17 18:25 ` Franck Joncourt 0 siblings, 1 reply; 4+ messages in thread From: Michele Petrazzo - Unipex srl @ 2007-07-16 18:43 UTC (permalink / raw) To: netfilter [-- Attachment #1: Type: text/plain, Size: 484 bytes --] Franck Joncourt wrote: > Is that what you are looking for : > > iptables -A FORWARD -p icmp --icmp-type echo-request -m mark --mark 2 -j ACCEPT > iptables -A FORWARD -p icmp -m limit --limit 20/min -j LOG_ICMP Not really. I want to log only 20 ping forwarded on a minute. May be that I need to invert those lines? I think yes! iptables -A FORWARD -p icmp -m limit --limit 20/min -j LOG_ICMP iptables -A FORWARD -p icmp --icmp-type echo-request -m mark --mark 2 -j ACCEPT Michele [-- Attachment #2: S/MIME Cryptographic Signature --] [-- Type: application/x-pkcs7-signature, Size: 3273 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: limit extension problem 2007-07-16 18:43 ` Michele Petrazzo - Unipex srl @ 2007-07-17 18:25 ` Franck Joncourt 0 siblings, 0 replies; 4+ messages in thread From: Franck Joncourt @ 2007-07-17 18:25 UTC (permalink / raw) To: netfilter [-- Attachment #1: Type: text/plain, Size: 797 bytes --] On Mon, Jul 16, 2007 at 08:43:00PM +0200, Michele Petrazzo - Unipex srl wrote: > I want to log only 20 ping forwarded on a minute. > > iptables -A FORWARD -p icmp -m limit --limit 20/min -j LOG_ICMP > iptables -A FORWARD -p icmp --icmp-type echo-request -m mark --mark 2 -j > ACCEPT iptables -A FORWARD -p icmp --icmp-type echo-request \ -m limit --limit 20/min -j LOG_ICMP In your first email, I thought you wanted to accept all echo-request without logging, but log other icmp types. What you wrote will log all icmp types, and not only echo-request. Why are you playing with _mark_ in your rules ? -- Franck Joncourt http://www.debian.org - http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-07-17 18:25 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-07-16 16:51 limit extension problem Michele Petrazzo - Unipex srl 2007-07-16 18:11 ` Franck Joncourt 2007-07-16 18:43 ` Michele Petrazzo - Unipex srl 2007-07-17 18:25 ` Franck Joncourt
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.