Restricting ICMP using iptables

Question

I have the following rule,which i believe will restrict icmp packets to 1/s.

:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7:988]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -m limit --limit 1/sec -j ACCEPT
-A INPUT -s 11.x.x.71/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 11.x.x.65/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 11.x.x.66/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

But when i ping this host with "ping -i .001 " all the packets are reaching this machine and on

iptables-nvL DROP counter is not incrementing.Whats wrong with this rule

-i .001 seems to be an invalid interval, how are you able to do that? — lamp_scaler, Apr 01 '13 at 09:02
ping -i .0001 destination,i can see more packets are being transmitted. — krypto, Apr 01 '13 at 09:07
my system spits out: "ping: -i interval too short: Operation not permitted" when trying to do that. — lamp_scaler, Apr 01 '13 at 09:08
You say the `DROP` counter is not incrementing. Is the counter on the `RELATED,ESTABLISHED` ACCEPT incrementing? — MadHatter, Apr 01 '13 at 09:22
Yes DROP counter is not incrementing,but State counter is incrementing.but if i remove state rule everything will work as expected but then i have to manually ACCEPT each ip. — krypto, Apr 01 '13 at 09:33
@MadHatter changing state to ESTABLISHED didnt change anything. — krypto, Apr 01 '13 at 10:21
No, Iain's answer explains better what's going on (and, I think, is the simplest possible fix). — MadHatter, Apr 01 '13 at 10:43

score 1 · Answer 1 · answered Apr 01 '13 at 09:45

I think you need to add an explicit DROP rule for ICMP after your rate limiting rule

-A INPUT -p icmp -m icmp --icmp-type any -m limit --limit 1/sec -j ACCEPT
-A INPUT -p icmp -j DROP

This is because subsequent packets are considered ESTABLISHED and your later rule

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

allows them before they get dropped by the policy.

score 1 · Accepted Answer · answered Apr 01 '13 at 09:47

The issue here is that you accept one packet (which implicitly is state NEW and then attempt to apply a limit rule. The limit probably does work however the RELATED,ESTABLISHED rule later down the line will probably mess things up for you.

You have two options:

Set the related and established rule on a per-protocol basis.
Make ICMP traffic of that type not trackable by state tracking.

Given the tables are there right now...

Set the related and established rule on a per-protocol basis.

iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m tcp -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m udp -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

Make ICMP traffic of that type not trackable by state tracking.

iptables -t raw -I PREROUTING -m icmp -p icmp --icmp-type any -j NOTRACK

The iptables state engine isn't TCP-sequence-number based, it infers state from synchronicity. — MadHatter, Apr 01 '13 at 10:15

Restricting ICMP using iptables

2 Answers2