1

I am trying to block icmp pings from a server if the packet count is greater than 2 per second (packet count reduced for testing). I tried these 2 rules separately but they don't seem to help: 

iptables -A INPUT -p icmp --icmp-type echo-request -m recent --update --seconds 1 --hitcount 2 -j DROP

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT --match limit --limit 2/s --limit-burst 2

wht's wrong with these rules ?

I am pinging form another server using below command but the ping continues to get replies - 

ping -n -i 0.2 192.168.2.86

also when I check iptables -nvL output - the packet count for the rule is not increasing ...

Machine used is centos 6.8

Some Progress: I added a default drop rule at the end of table:

iptables -A INPUT -p icmp -m icmp -j DROP

and then adding this rule dropped pings that exceeded the limit

iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 2/second -j ACCEPT -m comment --comment "icmprule1"

still not able to block the server completely.

Aditya Pednekar
  • 113
  • 7
  • wild guess: does the packet match an earlier rule? – Andreas Rogge Mar 09 '18 at 16:17
  • i have done a `iptables -F` before testing any of these rules seperately – Aditya Pednekar Mar 09 '18 at 16:18
  • For clarification: you want to completely block ICMP from a server which exceeds (in this example) 2/s, or do you want to block _everything_ from this server if ICMP exceeds 2/s or do you want to block ICMP if it exceeds 2/s and accept the rest? – Lenniey Mar 09 '18 at 17:07
  • just want to block icmp for now if icmp limit exceeds 2/s .. if you can giv a solution to block all requests for ip exceeding 2/s limit then this will be a bonus answer since this is what my final plan is. (i.e FINAL PLAN : to block all request from and ip for an hr if the request count exceeds 2/s using iptables.). but for now icmp blocking shud suffice as I can implement the latter. – Aditya Pednekar Mar 09 '18 at 17:12
  • take a look at my update below. – tonioc Mar 10 '18 at 09:04

1 Answers1

2

Here it goes, adding a secondary ICMPSCAN chain (and putting the jump rule in first position of INPUT chain): 

iptables -N ICMPSCAN
iptables -I INPUT -p icmp -m icmp --icmp-type echo-request -j ICMPSCAN 
iptables -A ICMPSCAN -m recent --set --name badicmp --rsource 
iptables -A ICMPSCAN -m recent --update --seconds 1 --hitcount 2 --name badicmp --rsource -j DROP

Note: both set/update rules could be set instead in INPUT without the secondary, but I prefer to put such rules in distinct chains.

Note2: an additional rule after --set could be added to log the event...

dynamic blacklisting:

Now, to add a permanent dynamic blacklist based on recent hitcount trigger, we can take advantage of ipset feature. ipset is available for centos 6.x , and iptables is ipset aware, but you may need to install it first.

Here the iptables/ipset rules to match your need: 

iptables -F ICMPSCAN
iptables -N ICMPSCAN
ipset -N banned_hosts iphash
iptables -I INPUT -p icmp -m icmp --icmp-type echo-request -j ICMPSCAN 
iptables -A ICMPSCAN -m recent --set --name badicmp --rsource 
iptables -A ICMPSCAN -m recent --update --seconds 1 --hitcount 2 --name badicmp --rsource -j SET --add-set banned_hosts src
iptables -A ICMPSCAN -m set --set banned_hosts src -j DROP

You can list the current contents of banned list using ipset list, for example: 

# ipset list banned_hosts
Name: banned_hosts
Type: hash:ip
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8284
References: 2
Members:
192.168.122.1

and manage the set list, for example to remove an ip address like:

# ipset del banned_hosts 192.168.122.1

See also this page: http://www.linuxjournal.com/content/advanced-firewall-configurations-ipset

tonioc
  • 1,047
  • 8
  • 11
  • This is almost exactly what I wanted, its stops the icmp requests, though if I rerun the ping command at normal request rate the ping starts again. Is there a way iptables can block the pings permanently (or maybe add to a blacklist) for this server ? Upvoting your answer for now and i'll wait/work on a permanent block solution. If things can't go that way, i'll accept your answer and add logging to the rules and then maybe write a script to parse the logs and block the ip permanently. – Aditya Pednekar Mar 09 '18 at 18:18
  • updated my answer to match this. – tonioc Mar 10 '18 at 05:12
  • You may combine logging with fail2ban to achieve a long-term blocking. – Ondřej Xicht Světlík Mar 10 '18 at 07:27
  • THIS IS PERFECT!! @tonioc tried and tested.. Thankyou – Aditya Pednekar Mar 10 '18 at 11:22