iptables SYN question
 

Hi all,
Can someone explain the following iptable rules for me?

1. iptables -N syn_flood
2. iptables -A INPUT -p tcp --syn -j syn_flood
3. iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
4. iptables -A syn_flood -j DROP

I understand 1 and 2, 1 creates the new syn_flood chain and 2 redirects all SYN requests to the new syn_flood chain.

I'm having trouble understanding 3 and 4. can someone explain to me in laymen terms the --limit 1/s and --limit-burst 3? Thanks.

Either '/sbin/iptables -m limit --help' or 'man iptables' and searching for the "limit" module text should get you that information easily: "--limit" means "packets per interval", here one packet per second, and "--limit-burst" means "maximum amount of packets to process", here a maximum of three packets per second. So anything under or equal to three packets per second leaves the chain to be processed further and anything over three will be dropped.

iptables
 

I thought that the burst part was a little more complcated that that. In the first instance you can get 3 pps however iptables won't allow 3 pps in the next second due to its cooldown mechanism. Each time "limit" is passed e.g. 1 second in this case the cooldown decrements by 1 e.g. you'll get a 3 pps burst in first second but second two will only allow 1 as there hasn't been any cooldown. If however second two is quiet the count would have decremented by 1 which would then allow a 2 packet burst in second 3 but not a 3 pkt burst.

e.g.

Have I interpreted this wrongly?