Content #
- –limit <rate> Maximum number of packets to match within the given time frame. The default value is five matches.
- –limit-burst <number> Maximum number of initial packets to match before applying the limit. The default limit is three matches per hour.
If match limiting is enabled, the default is that, after an initial burst of five matched packets, a rate limit of three matches per hour is imposed. In other words, if the system were flooded with ping packets, for example, the first five pings would match. After that, a single ping packet could be matched 20 minutes later, and another one could be matched 20 minutes after that, regardless of how many echo-requests were received. The disposition of the packets, whether logged or not, would depend on any subsequent rules regarding the packets.
Optional time frame specifiers include:
/second, /minute, /hour, /day
Limit logging of incoming ping message matches to one per second when an initial five echo-requests are received within a given second:
iptables -A INPUT -i eth0 \
-p icmp --icmp-type echo-request \
-m limit --limit 1/second -j LOG
Limit acceptance of incoming ping messages to one per second when an initial five echo-requests are received within a give second:
iptables -A INPUT -i eth0 \
-p icmp --icmp-type echo-request \
-m limit --limit 1/second -j ACCEPT
iptables -A INPUT -i eth0 \
-p icmp --icmp-type echo-request -j DROP
From #
Linux Security: Enhancing Security with nftables and Beyond