You are not logged in.
- Topics: Active | Unanswered
#1 2018-06-29 19:24:11
- sainty
- Member
- From: UK
- Registered: 2017-04-20
- Posts: 6
[SOLVED] NFTABLES ICMP limit rate not working correctly.
I have decided to try and improve on the basic firewall and have been looking at the Wiki in relation to limiting the ping rate for both IPv4 and IPv6. I have been using both the Arch Wiki and NFTABLES Wiki.
On the Arch Wiki there is the following example:
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# no ping floods:
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 10/second accept
ip protocol icmp icmp type echo-request limit rate 10/second accept
ct state established,related accept
ct state invalid drop
iif lo accept
# avoid brute force on ssh:
tcp dport ssh limit rate 15/minute accept
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}Using this did not work. I believe this is because after the limit is reached the rule is no longer valid and so the next rule is processed, that rule being:
ct state established,related acceptI am assuming here that as there was a continuous ping the state is considered 'Established' and so the ping still gets accepted by this rule.
To get around this I inserted:
ip protocol icmp dropbetween the two lines. This appeared to have the desired effect. I am still looking and playing to be sure this is the right way to do this. Perhaps someone here has a better idea?
I have the same issue with IPv6 and attempted to do the same adding:
ip6 nexthdr icmpv6 dropUnfortunately this did not work. I got an initial ping successfully but all pings after the first 10 failed. Even stopping the ping and restarting hours later I get no successful pings with IPv6. Have you any ideas that could help here?
I am still looking at this and once I have all the right and correct information. Once I have collated what I can and have a proven working model I will look to update the Wiki on this one.
Thank you for reading.
Last edited by sainty (2018-07-01 16:43:31)
Offline
#2 2018-06-29 19:43:47
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,190
Re: [SOLVED] NFTABLES ICMP limit rate not working correctly.
I believe you are dropping too much of icmpv6. Use a more specific rule to block only pings. IPv6 requires working icmpv6 unlike ipv4, since ARP has been replaced with NDP which uses ICMPv6 messages.
https://en.wikipedia.org/wiki/Neighbor_ … y_Protocol
ip6 nexthdr icmpv6 icmpv6 type echo-request dropLast edited by progandy (2018-06-29 19:46:45)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#3 2018-06-30 15:38:01
- sainty
- Member
- From: UK
- Registered: 2017-04-20
- Posts: 6
Re: [SOLVED] NFTABLES ICMP limit rate not working correctly.
Hi progandy,
I think you will be spot on here. I just had the same revelation as I was walking my dogs in the big outdoors. Often things come to me when I am not thinking. I am going to to try two items for this. First drop the echo-request before the established connections, then after that specify all the other ICMP types as accept (after a quick read up on them).
I will feedback here when I have done so over the next couple of days.
Offline
#4 2018-07-01 16:43:10
- sainty
- Member
- From: UK
- Registered: 2017-04-20
- Posts: 6
Re: [SOLVED] NFTABLES ICMP limit rate not working correctly.
My Current Solution.
Here I have set the limits to drop the packets on overshoot for echo-request only. This is an early filtering which stops further processing. After this all other ICMP functions will operate by the second set of rules for ICMP. I do not know if there is a better way of doing this, but it does work.
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ip protocol icmp icmp type echo-request limit rate over 1/minute burst 4 packets drop
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 1/minute burst 4 packets drop
ct state {established, related} accept
ct state invalid drop
iifname lo accept
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
}
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}Hope this helps some one else out.
Offline