Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 02-09-2011, 08:44 PM   #1
Registered: Sep 2009
Posts: 117

Rep: Reputation: 15
iptables SYN question

Hi all,
Can someone explain the following iptable rules for me?

1. iptables -N syn_flood
2. iptables -A INPUT -p tcp --syn -j syn_flood
3. iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
4. iptables -A syn_flood -j DROP

I understand 1 and 2, 1 creates the new syn_flood chain and 2 redirects all SYN requests to the new syn_flood chain.

I'm having trouble understanding 3 and 4. can someone explain to me in laymen terms the --limit 1/s and --limit-burst 3? Thanks.
Old 02-10-2011, 07:22 AM   #2
Registered: May 2001
Posts: 29,359
Blog Entries: 55

Rep: Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545
Either '/sbin/iptables -m limit --help' or 'man iptables' and searching for the "limit" module text should get you that information easily: "--limit" means "packets per interval", here one packet per second, and "--limit-burst" means "maximum amount of packets to process", here a maximum of three packets per second. So anything under or equal to three packets per second leaves the chain to be processed further and anything over three will be dropped.
Old 03-16-2011, 05:40 PM   #3
LQ Newbie
Registered: Mar 2011
Posts: 1

Rep: Reputation: 0

I thought that the burst part was a little more complcated that that. In the first instance you can get 3 pps however iptables won't allow 3 pps in the next second due to its cooldown mechanism. Each time "limit" is passed e.g. 1 second in this case the cooldown decrements by 1 e.g. you'll get a 3 pps burst in first second but second two will only allow 1 as there hasn't been any cooldown. If however second two is quiet the count would have decremented by 1 which would then allow a 2 packet burst in second 3 but not a 3 pkt burst.


‐‐limit rate: Maximum average matching rate: specified as a number, with an optional ‘/second’, ‘/minute’, ‘/hour’, or ‘/day’ suffix; the default is 3/hour.
‐‐limit‐burst number: Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5.
Have I interpreted this wrongly?

Last edited by mischievious; 03-16-2011 at 05:42 PM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables syn/fin dropping going to wrong chain b-neva Linux - Networking 13 02-03-2010 10:45 PM
Using iptables firewall against syn flood attacks dylan0 Linux - Server 5 03-22-2009 03:17 PM
[IpTables]Syn Flood protection and apache lag Atikae Linux - Security 3 03-17-2009 05:45 PM
iptables - -syn yawe_frek Linux - Security 2 12-02-2006 03:26 PM
Differences between NEW and --syn in iptables lord_zoo Linux - Security 4 09-02-2005 02:29 PM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 05:37 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration