* ICMP floods
@ 2003-10-15 3:54 Edmund Turner
2003-10-15 7:06 ` Alistair Tonner
2003-10-15 16:36 ` Jim Carter
0 siblings, 2 replies; 7+ messages in thread
From: Edmund Turner @ 2003-10-15 3:54 UTC (permalink / raw)
To: netfilter
Hey everyone!
Im tyring to create a proper ICMP chain that will blocked ICMP flooding
by Viruses and DOS attacks. Would the ruleset below be sufficient?
I cant simulate the exact ICMP flooding, so im only assuming that
limiting the ICMP burst to 10 /sec and limiting it to 5/sec.
Any input is appreciated!!
#####################
#####ICMP CHAINS#####
#####################
/sbin/iptables -N ICMP
/sbin/iptables -F ICMP
/sbin/iptables -A ICMP -m limit -p ICMP -i eth2 --limit 1 --limit-burst
10
/sbin/iptables -A ICMP -m limit -p ICMP -i eth1 --limit 1 --limit-burst
10
/sbin/iptables -A ICMP -m limit -p ICMP -i eth0 --limit 1 --limit-burst
10
/sbin/iptables -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT
/sbin/iptables -A ICMP -p icmp --icmp-type destination-unreachable -j
ACCEPT
/sbin/iptables -A ICMP -p icmp --icmp-type source-quench -j ACCEPT
/sbin/iptables -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
#/sbin/iptables -A ICMP -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A ICMP -p icmp --icmp-type echo-request -m limit --limit
5/second -j ACCEPT
/sbin/iptables -A ICMP -p icmp -j LOG --log-level 5 --log-prefix "ICMP
DROP: "
/sbin/iptables -A ICMP -p icmp -j DROP
regards
edmund
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: ICMP floods
2003-10-15 3:54 ICMP floods Edmund Turner
@ 2003-10-15 7:06 ` Alistair Tonner
2003-10-15 7:18 ` Michael Kearey
2003-10-15 16:36 ` Jim Carter
1 sibling, 1 reply; 7+ messages in thread
From: Alistair Tonner @ 2003-10-15 7:06 UTC (permalink / raw)
To: eturner, netfilter
On October 14, 2003 11:54 pm, Edmund Turner wrote:
> Hey everyone!
> Im tyring to create a proper ICMP chain that will blocked ICMP flooding
> by Viruses and DOS attacks. Would the ruleset below be sufficient?
> I cant simulate the exact ICMP flooding, so im only assuming that
> limiting the ICMP burst to 10 /sec and limiting it to 5/sec.
>
> Any input is appreciated!!
>
> #####################
> #####ICMP CHAINS#####
> #####################
> /sbin/iptables -N ICMP
> /sbin/iptables -F ICMP
> /sbin/iptables -A ICMP -m limit -p ICMP -i eth2 --limit 1 --limit-burst
> 10
> /sbin/iptables -A ICMP -m limit -p ICMP -i eth1 --limit 1 --limit-burst
> 10
> /sbin/iptables -A ICMP -m limit -p ICMP -i eth0 --limit 1 --limit-burst
> 10
> /sbin/iptables -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT
> /sbin/iptables -A ICMP -p icmp --icmp-type destination-unreachable -j
> ACCEPT
> /sbin/iptables -A ICMP -p icmp --icmp-type source-quench -j ACCEPT
> /sbin/iptables -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
> #/sbin/iptables -A ICMP -p icmp --icmp-type echo-request -j ACCEPT
> /sbin/iptables -A ICMP -p icmp --icmp-type echo-request -m limit --limit
> 5/second -j ACCEPT
The limit rule above will never be used as the packets are allready accepted
by the rule above it.
> /sbin/iptables -A ICMP -p icmp -j LOG --log-level 5 --log-prefix "ICMP
> DROP: "
> /sbin/iptables -A ICMP -p icmp -j DROP
>
>
> regards
> edmund
--
Alistair Tonner
nerdnet.ca
Senior Systems Analyst - RSS
Any sufficiently advanced technology will have the appearance of magic.
Lets get magical!
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: ICMP floods
2003-10-15 7:06 ` Alistair Tonner
@ 2003-10-15 7:18 ` Michael Kearey
2003-10-15 7:29 ` Edmund Turner
2003-10-15 7:31 ` Alistair Tonner
0 siblings, 2 replies; 7+ messages in thread
From: Michael Kearey @ 2003-10-15 7:18 UTC (permalink / raw)
Cc: netfilter
Alistair Tonner wrote:
<Snip>
>>/sbin/iptables -A ICMP -p icmp --icmp-type source-quench -j ACCEPT
>>/sbin/iptables -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
>>#/sbin/iptables -A ICMP -p icmp --icmp-type echo-request -j ACCEPT
^
>>/sbin/iptables -A ICMP -p icmp --icmp-type echo-request -m limit --limit
>>5/second -j ACCEPT
>
>
> The limit rule above will never be used as the packets are allready accepted
> by the rule above it.
<Snip>
It's commented out isn't it?
Cheers,
Michael
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: ICMP floods
2003-10-15 7:18 ` Michael Kearey
@ 2003-10-15 7:29 ` Edmund Turner
2003-10-15 7:31 ` Alistair Tonner
1 sibling, 0 replies; 7+ messages in thread
From: Edmund Turner @ 2003-10-15 7:29 UTC (permalink / raw)
To: 'Michael Kearey'; +Cc: netfilter
Yes it is commented out. Ive added a limit to both echo-request and
echo-replies. Hope this would stop problems exhibit by the Welchia
Virus.
Regards
edmund
#####################
#####ICMP CHAINS#####
#####################
/sbin/iptables -N ICMP
/sbin/iptables -F ICMP
/sbin/iptables -A ICMP -m limit -p ICMP -i eth2 --limit 1 --limit-burst
10
/sbin/iptables -A ICMP -m limit -p ICMP -i eth1 --limit 1 --limit-burst
10
/sbin/iptables -A ICMP -m limit -p ICMP -i eth0 --limit 1 --limit-burst
10
/sbin/iptables -A ICMP -p icmp --icmp-type echo-reply -m limit --limit
5/second -j ACCEPT
/sbin/iptables -A ICMP -p icmp --icmp-type echo-request -m limit --limit
5/second -j ACCEPT
#/sbin/iptables -A ICMP -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A ICMP -p icmp --icmp-type destination-unreachable -j
ACCEPT
/sbin/iptables -A ICMP -p icmp --icmp-type source-quench -j ACCEPT
/sbin/iptables -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
/sbin/iptables -A ICMP -p icmp -j LOG --log-level 5 --log-prefix "ICMP
DROP: "
/sbin/iptables -A ICMP -p icmp -j DROP
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Michael Kearey
Sent: Wednesday, October 15, 2003 3:19 PM
Cc: netfilter@lists.netfilter.org
Subject: Re: ICMP floods
Alistair Tonner wrote:
<Snip>
>>/sbin/iptables -A ICMP -p icmp --icmp-type source-quench -j ACCEPT
>>/sbin/iptables -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
>>#/sbin/iptables -A ICMP -p icmp --icmp-type echo-request -j ACCEPT
^
>>/sbin/iptables -A ICMP -p icmp --icmp-type echo-request -m limit
--limit
>>5/second -j ACCEPT
>
>
> The limit rule above will never be used as the packets are allready
accepted
> by the rule above it.
<Snip>
It's commented out isn't it?
Cheers,
Michael
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: ICMP floods
2003-10-15 7:18 ` Michael Kearey
2003-10-15 7:29 ` Edmund Turner
@ 2003-10-15 7:31 ` Alistair Tonner
1 sibling, 0 replies; 7+ messages in thread
From: Alistair Tonner @ 2003-10-15 7:31 UTC (permalink / raw)
To: Michael Kearey; +Cc: netfilter
On October 15, 2003 03:18 am, Michael Kearey wrote:
> Alistair Tonner wrote:
> <Snip>
>
> >>/sbin/iptables -A ICMP -p icmp --icmp-type source-quench -j ACCEPT
> >>/sbin/iptables -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
> >>#/sbin/iptables -A ICMP -p icmp --icmp-type echo-request -j ACCEPT
>
> ^
>
> >>/sbin/iptables -A ICMP -p icmp --icmp-type echo-request -m limit --limit
> >>5/second -j ACCEPT
> >
> > The limit rule above will never be used as the packets are allready
> > accepted by the rule above it.
>
> <Snip>
>
> It's commented out isn't it?
Okay ... perhaps I should go back to sleep now... *grin*
>
> Cheers,
> Michael
--
Alistair Tonner
nerdnet.ca
Senior Systems Analyst - RSS
Any sufficiently advanced technology will have the appearance of magic.
Lets get magical!
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: ICMP floods
2003-10-15 3:54 ICMP floods Edmund Turner
2003-10-15 7:06 ` Alistair Tonner
@ 2003-10-15 16:36 ` Jim Carter
2003-10-16 2:38 ` Edmund Turner
1 sibling, 1 reply; 7+ messages in thread
From: Jim Carter @ 2003-10-15 16:36 UTC (permalink / raw)
To: Edmund Turner; +Cc: netfilter
On Wed, 15 Oct 2003, Edmund Turner wrote:
> Im tyring to create a proper ICMP chain that will blocked ICMP flooding
> by Viruses and DOS attacks. Would the ruleset below be sufficient?
> -- snip --
> /sbin/iptables -A ICMP -m limit -p ICMP -i eth2 --limit 1 --limit-burst 10
> /sbin/iptables -A ICMP -m limit -p ICMP -i eth1 --limit 1 --limit-burst 10
> /sbin/iptables -A ICMP -m limit -p ICMP -i eth0 --limit 1 --limit-burst 10
You need "-j SOMETHING" -- the limit module would bypass the -j action if
it happened too often. The man page doesn't say the default unit for
--limit (but it says the default is 3/hour which is kind of infrequent); I
would put in an explicit unit. Also I doubt you really need separate rate
limiting on each interface. I see you have ACCEPT rules for every
different type of ICMP packet. Here's a real simple rule which does
almost the same thing:
iptables -t filter -A FORWARD -p ICMP -m limit --limit 2/second \
--limit-burst 10 -j ACCEPT
iptables -t filter -A FORWARD -p ICMP -m limit --limit 4/minute -j LOG
iptables -t filter -A FORWARD -P ICMP -j DROP
(Or you could put this in a separate chain like your example: probably just
as efficient if not more so, and more readable.)
Hope this helps!
James F. Carter Voice 310 825 2897 FAX 310 206 6673
UCLA-Mathnet; 6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555
Email: jimc@math.ucla.edu http://www.math.ucla.edu/~jimc (q.v. for PGP key)
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: ICMP floods
2003-10-15 16:36 ` Jim Carter
@ 2003-10-16 2:38 ` Edmund Turner
0 siblings, 0 replies; 7+ messages in thread
From: Edmund Turner @ 2003-10-16 2:38 UTC (permalink / raw)
To: 'Jim Carter'; +Cc: netfilter
Jim, Thanks for the tip!. I just noticed that I missed the 'J'. Ive
rewritten the rules as you advised.
Regards
edmund
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Jim Carter
Sent: Thursday, October 16, 2003 12:36 AM
To: Edmund Turner
Cc: netfilter@lists.netfilter.org
Subject: Re: ICMP floods
On Wed, 15 Oct 2003, Edmund Turner wrote:
> Im tyring to create a proper ICMP chain that will blocked ICMP
flooding
> by Viruses and DOS attacks. Would the ruleset below be sufficient?
> -- snip --
> /sbin/iptables -A ICMP -m limit -p ICMP -i eth2 --limit 1
--limit-burst 10
> /sbin/iptables -A ICMP -m limit -p ICMP -i eth1 --limit 1
--limit-burst 10
> /sbin/iptables -A ICMP -m limit -p ICMP -i eth0 --limit 1
--limit-burst 10
You need "-j SOMETHING" -- the limit module would bypass the -j action
if
it happened too often. The man page doesn't say the default unit for
--limit (but it says the default is 3/hour which is kind of
infrequent); I
would put in an explicit unit. Also I doubt you really need separate
rate
limiting on each interface. I see you have ACCEPT rules for every
different type of ICMP packet. Here's a real simple rule which does
almost the same thing:
iptables -t filter -A FORWARD -p ICMP -m limit --limit 2/second \
--limit-burst 10 -j ACCEPT
iptables -t filter -A FORWARD -p ICMP -m limit --limit 4/minute -j LOG
iptables -t filter -A FORWARD -P ICMP -j DROP
(Or you could put this in a separate chain like your example: probably
just
as efficient if not more so, and more readable.)
Hope this helps!
James F. Carter Voice 310 825 2897 FAX 310 206 6673
UCLA-Mathnet; 6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA
90095-1555
Email: jimc@math.ucla.edu http://www.math.ucla.edu/~jimc (q.v. for
PGP key)
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2003-10-16 2:38 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-10-15 3:54 ICMP floods Edmund Turner
2003-10-15 7:06 ` Alistair Tonner
2003-10-15 7:18 ` Michael Kearey
2003-10-15 7:29 ` Edmund Turner
2003-10-15 7:31 ` Alistair Tonner
2003-10-15 16:36 ` Jim Carter
2003-10-16 2:38 ` Edmund Turner
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.