From: Grant Taylor <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: --limit 5/m doesn't work
Date: Wed, 23 Mar 2005 12:36:19 -0600 [thread overview]
Message-ID: <4241B723.9050204@riverviewtech.net> (raw)
In-Reply-To: <000001c52f53$ed3f3220$1500a8c0@itasam>
(I'll try replying to the mail list so others can see this too.)
Andy, something to keep in is that the limit that is in place is an average of 5 packets in 60 seconds, thus a packet could be matched every 12 seconds. Something else to keep in mind is that this rule will only match based on the criteria you give it, thus if you don't have your default policy set to DROP or an explicit rule to drop the packets they will always accept by default. According to the man page limit will support inverse matches but I can not get it to work so give it a try as follows:
iptables -A INPUT -i eth0 -m limit ! --limit 5/m --limit-burst 5 -j DROP
If that does not work you will need to do something like this:
iptables -A INPUT -i eth0 -m limit --limit 5/m --limit-burst 5 -j ACCEPT
iptables -A INPUT -i eth0 -j DROP
Alternatively you could make a new chain and do something like this.
iptables -N NewChain
iptables -A INPUT -i eth0 -j NewChain
iptables -A NewChain -i eth0 -m limit --limit 5/m --limit-burst 5 -j RETURN
# Put any additional match limits you want here that you want to use the default below on.
iptables -A NewChain -j DROP
In this scenario you could have other limits that you wanted to apply between the 3rd and 4th line. You pass (all) traffic to the NewChain cain of rules and any thing that is acceptable will be returned back to the INPUT chain and continue processing from there. You will then have a default action of DROP in the NewCahin if they packets are not explicitly RETURNed.
Grant. . . .
Andy Samuel wrote:
> Dear All
>
> I have this rule :
> iptables -A INPUT -i eth0 -m limit --limit 5/m --limit-burst 5 -j ACCEPT
>
> When I tried to ping my Linux box from a Windows box, :
> ping -t 192.168.12.1
>
> The reply always come within less than 1 ms.
> I'm actually expecting many timeouts because iptables would drop my
> package, but the reply always come within less than 1 ms and no timeouts
> at all.
> Am I expecting something wrong ?
>
> Thank you all in advance.
> Andy
prev parent reply other threads:[~2005-03-23 18:36 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-23 2:56 --limit 5/m doesn't work Andy Samuel
[not found] ` <558224e30503222255158832bc@mail.gmail.com>
2005-03-23 8:21 ` ASHISH
2005-03-23 13:44 ` Jason Opperisano
2005-03-23 13:59 ` Robert P. J. Day
2005-03-23 14:16 ` Jason Opperisano
2005-03-23 18:26 ` ASHISH
2005-03-23 18:57 ` Robert P. J. Day
2005-03-23 18:36 ` Grant Taylor [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4241B723.9050204@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.