You are not logged in.

#1 2018-06-29 19:24:11

sainty
Member
From: UK
Registered: 2017-04-20
Posts: 6

[SOLVED] NFTABLES ICMP limit rate not working correctly.

I have decided to try and improve on the basic firewall and have been looking at the Wiki in relation to limiting the ping rate for both IPv4 and IPv6.  I have been using both the Arch Wiki and NFTABLES Wiki.

On the Arch Wiki there is the following example:

table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;

		# no ping floods:
		ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 10/second accept
		ip protocol icmp icmp type echo-request limit rate 10/second accept

		ct state established,related accept
		ct state invalid drop

		iif lo accept

		# avoid brute force on ssh:
		tcp dport ssh limit rate 15/minute accept

	}

	chain forward {
		type filter hook forward priority 0; policy drop;
	}

	chain output {
		type filter hook output priority 0; policy accept;
	}

}

Using this did not work.  I believe this is because after the limit is reached the rule is no longer valid and so the next rule is processed, that rule being:

ct state established,related accept

I am assuming here that as there was a continuous ping the state is considered 'Established' and so the ping still gets accepted by this rule.

To get around this I inserted:

ip protocol icmp drop

between the two lines.  This appeared to have the desired effect.  I am still looking and playing to be sure this is the right way to do this.  Perhaps someone here has a better idea?

I have the same issue with IPv6 and attempted to do the same adding:

ip6 nexthdr icmpv6 drop

Unfortunately this did not work.  I got an initial ping successfully but all pings after the first 10 failed.  Even stopping the ping and restarting hours later I get no successful pings with IPv6.  Have you any ideas that could help here?

I am still looking at this and once I have all the right and correct information.  Once I have collated what I can and have a proven working model I will look to update the Wiki on this one.

Thank you for reading.

Last edited by sainty (2018-07-01 16:43:31)

Offline

#2 2018-06-29 19:43:47

progandy
Member
Registered: 2012-05-17
Posts: 4,335

Re: [SOLVED] NFTABLES ICMP limit rate not working correctly.

I believe you are dropping too much of icmpv6. Use a more specific rule to block only pings. IPv6 requires working icmpv6 unlike ipv4, since ARP has been replaced with NDP which uses ICMPv6 messages.
https://en.wikipedia.org/wiki/Neighbor_ … y_Protocol

ip6 nexthdr icmpv6 icmpv6 type echo-request drop

Last edited by progandy (2018-06-29 19:46:45)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#3 2018-06-30 15:38:01

sainty
Member
From: UK
Registered: 2017-04-20
Posts: 6

Re: [SOLVED] NFTABLES ICMP limit rate not working correctly.

Hi progandy,

I think you will be spot on here.  I just had the same revelation as I was walking my dogs in the big outdoors.  Often things come to me when I am not thinking.  I am going to to try two items for this.  First drop the echo-request before the established connections, then after that specify all the other ICMP types as accept (after a quick read up on them).

I will feedback here when I have done so over the next couple of days.

Offline

#4 2018-07-01 16:43:10

sainty
Member
From: UK
Registered: 2017-04-20
Posts: 6

Re: [SOLVED] NFTABLES ICMP limit rate not working correctly.

My Current Solution.

Here I have set the limits to drop the packets on overshoot for echo-request only.  This is an early filtering which stops further processing.  After this all other ICMP functions will operate by the second set of rules for ICMP.  I do not know if there is a better way of doing this, but it does work.

table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;

		ip protocol icmp icmp type echo-request limit rate over 1/minute burst 4 packets  drop
		ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 1/minute burst 4 packets drop

		ct state {established, related} accept
		ct state invalid drop

		iifname lo accept

		ip protocol icmp accept
		ip6 nexthdr icmpv6 accept

	}
}
chain forward {
		type filter hook forward priority 0; policy drop;
	}

	chain output {
		type filter hook output priority 0; policy accept;
	}

Hope this helps some one else out.

Offline

Board footer

Powered by FluxBB