DOS attack--Prob with iptables.pls reply urgent!!!!!

["Daniel Givens" <daniel@rugmonster.org>]

On 3/23/06, hetal gaglani <hetal.gaglani@gmail.com> wrote:
> after limiting the no of ping requests using the limit rule in
> iptables...

> i.e i want my server to limit the no of reply packets to 3 even if the
> -t option is given and the drop any icmp packets coming from the
> client.

Try this:
# iptables -A INPUT -p icmp -i <EXTERNALIF> -m limit --limit 3/hr
--limit-burst 3 -j ACCEPT
# iptables -A INPUT -p icmp -i <EXTERNALIF> -j DROP

Order matters, since iptables evaluates in a top down fashion. When
you are putting commands into iptables, they are stored in exactly
that order and the tests on incoming and/or outgoing packets are done
in that order. That is why the above works. It will accept the first
three icmp packets and drop the rest until an hour passes. For more on
limit and limit-burst, see here:

http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html#toc4


> Another query:how to test this????

Ping the linux system. If the client is on the internal side of the
firewall and the ICMP rule is on the external side, then go to any of
the free web based ping tools. Here is one:

http://www.dnsstuff.com/

My ISP blocks ICMP. Obviously, you have a reason to want to block ICMP
so that isn't the case.

> also the ping of death attack which increases the size of packet to
> >65535....what shud be done to avoid ping of death attack...if u know
> any rule for the same pls let me know.

The ping of death has not been an issue for a long time. Unless you
system is running a kernel that is older than the early 2.4's, you
don't have to worry about this.

Regards,
Daniel