Hello,
Aro Sadoyan a écrit :
iptables -A INPUT -p icmp --icmp-type 8 -m length --length
128:65535 -j LOG --log-level debug --log-prefix IP"ICMP Oversize:"
iptables -A INPUT -p icmp --icmp-type 8 -m length --length
128:65535 -j REJECT #--reject-with icmp-host-prohibited
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit
3/s -j ACCEPT
iptables -A INPUT -p icmp -f -j LOG --log-prefix "ICMP Fagment:"
iptables -A INPUT -p icmp -f -j REJECT
This Is a good solution of filtering ICMP I use it and it is working
fine
It alow only 3 ping per second and ICMP packet sise is maximum 128
Notes :
ICMP type "echo-request" instead of 8 is more explicit.
The -f flag will never match if connection tracking (ip_conntrack) is
active (used by the nat table or state match for example) because the
connection tracking needs to reassemble fragments before the packet
enters the iptables chains.
I would rather DROP unwanted ICMP packets instead of REJECT.