Hi all,
Can someone explain the following iptable rules for me?

1. iptables -N syn_flood
2. iptables -A INPUT -p tcp --syn -j syn_flood
3. iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
4. iptables -A syn_flood -j DROP

I understand 1 and 2, 1 creates the new syn_flood chain and 2 redirects all SYN requests to the new syn_flood chain.

I'm having trouble understanding 3 and 4. can someone explain to me in laymen terms the --limit 1/s and --limit-burst 3? Thanks.

Either '/sbin/iptables -m limit --help' or 'man iptables' and searching for the "limit" module text should get you that information easily: "--limit" means "packets per interval", here one packet per second, and "--limit-burst" means "maximum amount of packets to process", here a maximum of three packets per second. So anything under or equal to three packets per second leaves the chain to be processed further and anything over three will be dropped.

I thought that the burst part was a little more complcated that that. In the first instance you can get 3 pps however iptables won't allow 3 pps in the next second due to its cooldown mechanism. Each time "limit" is passed e.g. 1 second in this case the cooldown decrements by 1 e.g. you'll get a 3 pps burst in first second but second two will only allow 1 as there hasn't been any cooldown. If however second two is quiet the count would have decremented by 1 which would then allow a 2 packet burst in second 3 but not a 3 pkt burst.

e.g.

Have I interpreted this wrongly?