12

I'm using CentOS 5.x trying to wrap my mind around the following iptables rule on one of my servers: 

-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

On another server I have:

-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 3 -j ACCEPT

I understand that both of these rules are designed to allow (and throttle) incoming ping requests but what is the limit-burst option about? And are these allowances on a per host basis? Or do they apply to any/all incoming ICMP connections at all?

Giacomo1968
  • 3,522
  • 25
  • 38
Mike B
  • 11,570
  • 42
  • 106
  • 165

3 Answers3

15

The math is fully explained in the netfilter docs, but it's reasonable to say that the limit-burst argument specifies the number of matches that are allow through before the limit of 1 per second "kicks in". These two rules both apply only to ICMP echo request packets (incoming PING requests). These are not per-host limits and apply to anything the rule matches (which, in this case, would be all ICMP echo requests).

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • So for the second rule, it will allow up to 3 icmp echo request packets (no matter how quickly they're received) and then only allow 1 icmp packet per second after that (regardless of which host the request is coming from)? At what point does iptables "reset" and allow a burst of up to three packets again? – Mike B Mar 06 '13 at 23:05
  • 15
    It's a token bucket. The bucket starts w/ 3 tokens in it, and a token is removed for each ICMP echo-request that is received. For each 1 second of no ICMP echo requests 1 token is added to the bucket until the bucket reaches 3 tokens again, where it stays until it receives more ICMP echo requests. – Evan Anderson Mar 06 '13 at 23:42
  • Awesome. That's exactly what I needed to know. Thank you sir. – Mike B Mar 07 '13 at 00:17
7

--limit: Specifies the rate at what tokens get refilled into the bucket. 4/hour means 4 tokens per hour (1 token every 15 minutes).

--limit-burst: Specifies the maximum amount of tokens that can be filled in the bucket. (This is also the amount of tokens the bucket starts out with).

user2059857
  • 266
  • 2
  • 1
1

I read both answers, but the actual man itables-extensions made me grok it:

limit

This module matches at a limited rate using a token bucket filter. A rule using this extension will match until this limit is reached. It can be used in combination with the LOG target to give limited logging, for example.

xt_limit has no negation support - you will have to use -m hashlimit ! --hashlimit rate in this case whilst omitting --hashlimit-mode.

  • --limit rate[/second|/minute|/hour|/day] -- Maximum average matching rate: specified as a number, with an optional /second, /minute, /hour, or /day suffix; the default is 3/hour.

  • --limit-burst number -- Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5.

matiu
  • 224
  • 1
  • 2
  • 8