limit module not working with drop policy

limit module not working with drop policy

[J. Bakshi]

Dear list,

My firewall policy is default drop.  But the limit module is not working
here. I have the following rules to defeat ping flood

``````````
iptables -A INPUT  -p icmp -m limit --limit 3/minute -j ACCEPT
iptables -A INPUT  -p icmp -j DROP
``````````````````
and it is not working. The same rule set is working with default accept
policy.  What modification should I need to make it working with drop
policy firewall ?

Thanks



-- 
জয়দীপ বক্সী

Re: limit module not working with drop policy

[Remzi AKYÜZ]

Hello,
can you send
output of the iptables-save?

J. Bakshi wrote:
> Dear list,
>
> My firewall policy is default drop.  But the limit module is not working
> here. I have the following rules to defeat ping flood
>
> ``````````
> iptables -A INPUT  -p icmp -m limit --limit 3/minute -j ACCEPT
> iptables -A INPUT  -p icmp -j DROP
> ``````````````````
> and it is not working. The same rule set is working with default accept
> policy.  What modification should I need to make it working with drop
> policy firewall ?
>
> Thanks
>
>
>
>   

Re: limit module not working with drop policy

[J. Bakshi]

> 
> Hello,
> can you send
> output of the iptables-save?

Hello,
Thanks for your kind attention. Here is the output of iptables-save and the rule sets

```````````````````
#iptables-save

# Generated by iptables-save v1.4.6 on Sat Jan 23 12:26:49 2010
*mangle
:PREROUTING ACCEPT [2:168]
:INPUT ACCEPT [2:168]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:168]
:POSTROUTING ACCEPT [2:168]
COMMIT
# Completed on Sat Jan 23 12:26:49 2010
# Generated by iptables-save v1.4.6 on Sat Jan 23 12:26:49 2010
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [1:84]
:OUTPUT ACCEPT [1:84]
COMMIT
# Completed on Sat Jan 23 12:26:49 2010
# Generated by iptables-save v1.4.6 on Sat Jan 23 12:26:49 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min -j ACCEPT
-A INPUT -i eth0 -p icmp -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sat Jan 23 12:26:49 2010
``````````````
and here is the script

````````````````
IFACE=eth0
## Flush all
iptables -F
iptables -X

# Reset the iptables counters
iptables -Z
iptables -t nat -Z 2>/dev/null
iptables -t mangle -Z

## set policy
echo -e "\E[33;1m Setting default INPUT/FORWARD/OUTPUT policy to DROP"

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

echo -e "\E[33;1mAllow unlimited traffic on the loopback interface"
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

echo -e "\E[33;1mAllow already established and related"
iptables -A INPUT -i $IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IFACE -m state --state NEW,ESTABLISHED,RELATED  -j ACCEPT

echo -e "\E[33;1mMake sure NEW tcp connections are SYN packets"
iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP

echo -e "\E[33;1mActivating user rules"
# ICMP
#Enabling ping so that I can check from outside, but limiting the ping 3/min
iptables -A INPUT  -p icmp --icmp-type echo-request  -m limit --limit 3/minute -j ACCEPT

# Disable ICMP for others
iptables -A INPUT -i $IFACE -p icmp -j DROP
````````````````````````````
> 
> J. Bakshi wrote:
> > Dear list,
> >
> > My firewall policy is default drop.  But the limit module is not
> > working here. I have the following rules to defeat ping flood
> >
> > ``````````
> > iptables -A INPUT  -p icmp -m limit --limit 3/minute -j ACCEPT
> > iptables -A INPUT  -p icmp -j DROP
> > ``````````````````
> > and it is not working. The same rule set is working with default
> > accept policy.  What modification should I need to make it working
> > with drop policy firewall ?
> >
> > Thanks

Re: limit module not working with drop policy

[Mart Frauenlob]

On 22.01.2010 04:25, netfilter-owner@vger.kernel.org wrote:
> Dear list,
> 
> My firewall policy is default drop.  But the limit module is not working
> here. I have the following rules to defeat ping flood
> 
> ``````````
> iptables -A INPUT  -p icmp -m limit --limit 3/minute -j ACCEPT
> iptables -A INPUT  -p icmp -j DROP
> ``````````````````
> and it is not working. The same rule set is working with default accept
> policy.  What modification should I need to make it working with drop
> policy firewall ?
> 
> Thanks
> 

> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
> -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min -j ACCEPT
> -A INPUT -i eth0 -p icmp -j DROP
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> COMMIT
> # Completed on Sat Jan 23 12:26:49 2010


Hello,

Actually you should not need that '-A INPUT -i eth0 -p icmp -j DROP'
rule, as the DROP policy should catch it.
As i've been reading complains about the limit match being broken for
years, i suggest trying the 'hashlimit' match (maybe without the
--hashlimit-mode option).


best regards

Mart

Re: limit module not working with drop policy

[J. Bakshi]

On Sat, 23 Jan 2010 10:45:56 +0100
Mart Frauenlob <mart.frauenlob@chello.at> wrote:

> On 22.01.2010 04:25, netfilter-owner@vger.kernel.org wrote:
> > Dear list,
> > 
> > My firewall policy is default drop.  But the limit module is not
> > working here. I have the following rules to defeat ping flood
> > 
> > ``````````
> > iptables -A INPUT  -p icmp -m limit --limit 3/minute -j ACCEPT
> > iptables -A INPUT  -p icmp -j DROP
> > ``````````````````
> > and it is not working. The same rule set is working with default
> > accept policy.  What modification should I need to make it working
> > with drop policy firewall ?
> > 
> > Thanks
> > 
> 
> > *filter
> > :INPUT DROP [0:0]
> > :FORWARD DROP [0:0]
> > :OUTPUT DROP [0:0]
> > -A INPUT -i lo -j ACCEPT
> > -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> > -A INPUT -i eth0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
> > state --state NEW -j DROP -A INPUT -p icmp -m icmp --icmp-type 8 -m
> > limit --limit 3/min -j ACCEPT -A INPUT -i eth0 -p icmp -j DROP
> > -A OUTPUT -o lo -j ACCEPT
> > -A OUTPUT -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> > COMMIT
> > # Completed on Sat Jan 23 12:26:49 2010
> 
> 
> Hello,
> 
> Actually you should not need that '-A INPUT -i eth0 -p icmp -j DROP'
> rule, as the DROP policy should catch it.
> As i've been reading complains about the limit match being broken for
> years, i suggest trying the 'hashlimit' match (maybe without the
> --hashlimit-mode option).
> 

Hello Mart,

Thanks for your suggestion and hint. Now I have modified the rule set as

` ` `
iptables -A INPUT  -p icmp  --icmp-type echo-request -m hashlimit \
--hashlimit 3/minute --hashlimit-name secureping -j ACCEPT
` ` `

but no luck yet :-( Is there anything wrong in my config ?

with regards

Re: limit module not working with drop policy

[Mart Frauenlob]

On 24.01.2010 07:50, netfilter-owner@vger.kernel.org wrote:
> On Sat, 23 Jan 2010 10:45:56 +0100
> Mart Frauenlob <mart.frauenlob@chello.at> wrote:
> 
>> On 22.01.2010 04:25, netfilter-owner@vger.kernel.org wrote:
>>> Dear list,
>>>
>>> My firewall policy is default drop.  But the limit module is not
>>> working here. I have the following rules to defeat ping flood
>>>
>>> ``````````
>>> iptables -A INPUT  -p icmp -m limit --limit 3/minute -j ACCEPT
>>> iptables -A INPUT  -p icmp -j DROP
>>> ``````````````````
>>> and it is not working. The same rule set is working with default
>>> accept policy.  What modification should I need to make it working
>>> with drop policy firewall ?
>>>

>> Actually you should not need that '-A INPUT -i eth0 -p icmp -j DROP'
>> rule, as the DROP policy should catch it.
>> As i've been reading complains about the limit match being broken for
>> years, i suggest trying the 'hashlimit' match (maybe without the
>> --hashlimit-mode option).
>>
>
> Thanks for your suggestion and hint. Now I have modified the rule set as
> 
> ` ` `
> iptables -A INPUT  -p icmp  --icmp-type echo-request -m hashlimit \
> --hashlimit 3/minute --hashlimit-name secureping -j ACCEPT
> ` ` `
> 
> but no luck yet :-( Is there anything wrong in my config ?

What exactly are the error symptoms? What is not working?
Please provide more information like kernel, iptables version.
You could place LOG rules and/or TRACE rules to provide more information
on what's going on.

Best regards


Mart

Re: limit module not working with drop policy

[J. Bakshi]

On Sun, 24 Jan 2010 11:27:27 +0100
Mart Frauenlob <mart.frauenlob@chello.at> wrote:


> > Thanks for your suggestion and hint. Now I have modified the rule
> > set as
> > 
> > ` ` `
> > iptables -A INPUT  -p icmp  --icmp-type echo-request -m hashlimit \
> > --hashlimit 3/minute --hashlimit-name secureping -j ACCEPT
> > ` ` `
> > 
> > but no luck yet :-( Is there anything wrong in my config ?
> 
> What exactly are the error symptoms? What is not working?
> Please provide more information like kernel, iptables version.
> You could place LOG rules and/or TRACE rules to provide more
> information on what's going on.
> 

The limit or hashlimit should protect my system by allowing only three ping request per minute ( as -m hashlimit --hashlimit 3/minute or same config by limit) . I saw it working before in debin lenny. I have upgrade my box into debian squeeze now and found the ping protection is not working at all. If I ping my box from outside; my box responds the ping per second !!!
So the ping protection is not working any more now :-( Just for reminder my firewall is default DROP and I have already posted iptables-save. Kindly ask me if you need any more information.

kernel version 2.6.31
iptables v1.4.6