I wrote the following firewall rule:
iptables -A INPUT -m hashlimit --hashlimit 1/hour --hashlimit-burst 3 --hashlimit-mode srcip,dstport --hashlimit-name ssh -j ACCEPT
I was expecting the burst to be recharged by 1 after one hour but actually it is recharged by one even sooner than one minute. I am sending messages from the same source IP and same destination port, so I was expecting it to accept 3 connections and then 1 per hour. But it is accepting more (one every 20-30 seconds). If I use --limit 1/hour I can observe the expected behaviour, but I need to use hashlimit because I need to filter per srcip and dstport. What am I doing wrong? Thank you!