Greetings !!
I wanted to do a little experience today with my students concerning the possibility (that is useless indeed) of mashing down the performance of a network using a flood of icmp request paquets throught the ping utility in the entire network (broadcast with option -f and -b).
The network is composed esentially of hubs with 15 computers using 13.2 opensuse. All the hubs are connected at the end of the chain to a cisco router.
My question is: this is possible using iptables to (for each computer connected to the different hubs – there are three hubs connected to 4 to 5 computers) limit the casualties of a ping flood but I don’t know how to set the changes done on iptables permanently.
Which script I have to modify to have the iptables rules set up at boot when the firewall is set up ?
For now, I have (default):
Chain INPUT (policy DROP)
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate ESTABLISHED
ACCEPT icmp -- anywhere anywhere ctstate RELATED
input_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-IN-ILL-TARGET "
DROP all -- anywhere anywhere
Chain input_ext (1 references)
DROP all -- anywhere anywhere PKTTYPE = broadcast
Chain forward_ext (2 references)
ACCEPT icmp -- anywhere anywhere ctstate RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere ctstate RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere ctstate RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere ctstate RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere ctstate RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere ctstate RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere ctstate RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere ctstate RELATED,ESTABLISHED icmp redirect
DROP all -- anywhere anywhere PKTTYPE = multicast
DROP all -- anywhere anywhere PKTTYPE = broadcast
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-FWDext-DROP-DEFLT "
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWDext-DROP-DEFLT "
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-FWDext-DROP-DEFLT "
DROP all -- anywhere anywhere
Chain reject_func (0 references)
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
I saw many ways to limit the casualties but I don’t know how make the changes permanent.
The idea is: if each computer on the local network dropped the broadcast icmp requests it may limit the casualties as the broadcast consists to send icmp paquets to all computers those have iptables running. As we pass thru some hubs the broadcats are not filtered.
The command used was ping -f 192.168.0.0 -b using root account…