From: ASHISH <ashishis@gmail.com>
To: netfilter@lists.netfilter.org
Subject: Re: --limit 5/m doesn't work
Date: Wed, 23 Mar 2005 13:51:24 +0530 [thread overview]
Message-ID: <558224e305032300217c4772c9@mail.gmail.com> (raw)
In-Reply-To: <558224e30503222255158832bc@mail.gmail.com>
The rule that you have mentioned will "Accept" the first five matches.
This does not specify any condition about dropping the packets. And
after first five packets each second, rest packets will not match this
rule, so they will jump to next rule. In order to drop these packets
(your desire as per your mail), the next rule should be used to drop
them. Take a look at this example :-
$IPTABLES -A icmp_packets -p icmp --icmp-type 8 -m limit --limit
6/minute --limit-burst 5 -j ACCEPT
$IPTABLES -A icmp_packets -p icmp --icmp-type 8 -j DROP
A combination of these two rules will help you in your cause. The
second rule drop all the packets that fail the first rule.
These type of confusions can be better analysed by logging the packets
with some preferred prefix.
Hope it helps you.
On Wed, 23 Mar 2005 09:56:35 +0700, Andy Samuel <anci@centrin.net.id> wrote:
> Dear All
>
> I have this rule :
> iptables -A INPUT -i eth0 -m limit --limit 5/m --limit-burst 5 -j ACCEPT
>
> When I tried to ping my Linux box from a Windows box, :
> ping -t 192.168.12.1
>
> The reply always come within less than 1 ms.
> I'm actually expecting many timeouts because iptables would drop my
> package, but the reply always come within less than 1 ms and no timeouts
> at all.
> Am I expecting something wrong ?
>
> Thank you all in advance.
> Andy
>
>
--
cheers
Ashish
--
cheers
Ashish
next prev parent reply other threads:[~2005-03-23 8:21 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-23 2:56 --limit 5/m doesn't work Andy Samuel
[not found] ` <558224e30503222255158832bc@mail.gmail.com>
2005-03-23 8:21 ` ASHISH [this message]
2005-03-23 13:44 ` Jason Opperisano
2005-03-23 13:59 ` Robert P. J. Day
2005-03-23 14:16 ` Jason Opperisano
2005-03-23 18:26 ` ASHISH
2005-03-23 18:57 ` Robert P. J. Day
2005-03-23 18:36 ` Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=558224e305032300217c4772c9@mail.gmail.com \
--to=ashishis@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.