[svlug] iptables syn flood etc

Vince Hoang svlug at ml.altern8.net
Mon Jan 13 22:20:27 PST 2003


On Mon, Jan 13, 2003 at 12:47:23PM -0500, George Georgalis wrote:
>     $IPTABLES -A INPUT -p icmp --icmp-type "echo-request" -m limit --limit 5/minute \
>         -j LOG --log-prefix '#### Ping Scan ####'

You will likely run into issues troubleshooting with icmp rate
limited so low. Think about ping and how many packets/minute are
sent when you are using it.

>     # high rate for stealth scans, since they could be legitimate connection
>     # attempts as well

I would consult the Stevens book and simply drop the scans that
cannot be legitimate.

>     # we are nice and allow traceroute, though it is not required
>     $IPTABLES -A in_icmp -p icmp --icmp-type 11 -j ACCEPT
>     $IPTABLES -A in_icmp -p icmp --icmp-type 30 -j ACCEPT

Which version of traceroute uses icmp/11 and icmp/30?

-Vince



More information about the svlug mailing list