Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. iptables>
  3. User
limit extension problem
michele.petrazzo at unipex
Jul 16, 2007, 9:51 AM
Post #1 of 4 (2628 views)
Permalink
Hi all,
I'm on debian etch with the default kernel (iptables 1.3.6 and 2.6.18).

I'm trying the limit extension, but the invert flag doesn't work like
the man page say:
"""
iptables -t filter -A FORWARD -m mark --mark 2 -p icmp --icmp-type 8 -m
limit ! --limit 20/min -j ACCEPT
iptables v.1.3.6: limit does not support invert
"""
What I want it's to "limit" the log for icmp protocol to 20/minute

What can I do?

Thanks,
Michele
Re: limit extension problem [ In reply to ]
franck.joncourt at wanadoo
Jul 16, 2007, 11:11 AM
Post #2 of 4 (2547 views)
Permalink
On Mon, Jul 16, 2007 at 06:51:34PM +0200, Michele Petrazzo - Unipex srl wrote:
> Hi all,
> I'm on debian etch with the default kernel (iptables 1.3.6 and 2.6.18).
>
> I'm trying the limit extension, but the invert flag doesn't work like
> the man page say:
> """
> iptables -t filter -A FORWARD -m mark --mark 2 -p icmp --icmp-type 8 -m
> limit ! --limit 20/min -j ACCEPT
> iptables v.1.3.6: limit does not support invert
> """
> What I want it's to "limit" the log for icmp protocol to 20/minute
>

Is that what you are looking for :

iptables -A FORWARD -p icmp --icmp-type echo-request -m mark --mark 2 -j ACCEPT
iptables -A FORWARD -p icmp -m limit --limit 20/min -j LOG_ICMP

--
Franck Joncourt
http://www.debian.org - http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE

Attached Files:

Re: limit extension problem [ In reply to ]
michele.petrazzo at unipex
Jul 16, 2007, 11:43 AM
Post #3 of 4 (2531 views)
Permalink
Franck Joncourt wrote:
> Is that what you are looking for :
>
> iptables -A FORWARD -p icmp --icmp-type echo-request -m mark --mark 2 -j ACCEPT
> iptables -A FORWARD -p icmp -m limit --limit 20/min -j LOG_ICMP

Not really.
I want to log only 20 ping forwarded on a minute. May be that I need to
invert those lines? I think yes!

iptables -A FORWARD -p icmp -m limit --limit 20/min -j LOG_ICMP
iptables -A FORWARD -p icmp --icmp-type echo-request -m mark --mark 2 -j
ACCEPT

Michele

Attached Files:

Re: limit extension problem [ In reply to ]
franck.joncourt at wanadoo
Jul 17, 2007, 11:25 AM
Post #4 of 4 (2517 views)
Permalink
On Mon, Jul 16, 2007 at 08:43:00PM +0200, Michele Petrazzo - Unipex srl wrote:

> I want to log only 20 ping forwarded on a minute.
>
> iptables -A FORWARD -p icmp -m limit --limit 20/min -j LOG_ICMP
> iptables -A FORWARD -p icmp --icmp-type echo-request -m mark --mark 2 -j
> ACCEPT

iptables -A FORWARD -p icmp --icmp-type echo-request \
-m limit --limit 20/min -j LOG_ICMP

In your first email, I thought you wanted to accept all echo-request
without logging, but log other icmp types.

What you wrote will log all icmp types, and not only echo-request.

Why are you playing with _mark_ in your rules ?

--
Franck Joncourt
http://www.debian.org - http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal