Shulou(Shulou.com)06/01 Report--

Recently, a friend asked me what I mean in writing iptables, as follows:

-An INPUT-p icmp- m icmp--icmp-type 8-m limit-- limit 2/sec-j ACCEPT

In fact, this is the request response speed limit of icmp, which is what we usually call ping a certain host. Icmp is an error and reporting mechanism, and the packets it receives and sends are used to detect network status. Common icmp categories are as follows:

Category code

Category definition

0

Echo Reply (response message)

three

Destination Unreachable (destination unreachable)

four

Source Quench (use this deny source address to send information when routing is heavily loaded) 5

Redirect (redirect routing path) 8

Echo Request (request response Information) B (i.e. 11)

Time Exceeded (tells the source address ignored information when the packet times out in the route) C (that is, 12) Parameter Problem (when the icmp packet repeats the previous error, returns the parameter error message related to the source address)

D (i.e. 13) Timestamp Request (requires the other party to give a timestamp to calculate the routing time difference, used to meet the requirements of the synchronization protocol) E (i.e. 14) Timestamp Reply (reply to the above response) F (i.e. 15) Info Request (request to boot to obtain network information, before rarp protocol) G (i.e. 16) Info Reply (response information request) Reply to the above request) H (i.e. 17) Address Mask Request (query subnet mask information) I (i.e. 18) Address Mask Reply (reply query subnet mask information)

It can be seen that the data of icmp packets are mostly used for network detection, and none of the above should be turned off except that 8 needs to be restricted or disabled. Iptables means to restrict the traffic of 8, because if a large number of ip in the network ping the host for a long time, it will also cause DDOS, so in the actual generation environment, we have to make corresponding restrictions on the 8 requests of icmp. Of course, if you want to know more information about icmp, you are advised to check it with the man icmp in the new system.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.