[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DOS attack--Prob with iptables


Aro Sadoyan a écrit :
iptables -A INPUT -p icmp --icmp-type 8 -m length --length 128:65535 -j LOG --log-level debug --log-prefix IP"ICMP Oversize:" iptables -A INPUT -p icmp --icmp-type 8 -m length --length 128:65535 -j REJECT #--reject-with icmp-host-prohibited iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 3/s -j ACCEPT
iptables -A INPUT  -p icmp -f  -j LOG --log-prefix "ICMP Fagment:"
iptables -A INPUT  -p icmp -f  -j REJECT

This Is a  good solution of filtering ICMP I use it and it is working fine
It alow only 3 ping per second and ICMP packet sise is  maximum 128

Notes :
ICMP type "echo-request" instead of 8 is more explicit.

The -f flag will never match if connection tracking (ip_conntrack) is active (used by the nat table or state match for example) because the connection tracking needs to reassemble fragments before the packet enters the iptables chains.

I would rather DROP unwanted ICMP packets instead of REJECT.

Reply to: