Hi Scott. >From what I am reading, the -m limit doesn't distinguish between IP addresses and your example will actually drop the first 10 packets and then it will be skipped for the rest of the second, so the rest of your rules will apply.
"It is used to restrict the rate of matches, such as for suppressing log messages. It will only match a given number of times per second..." I'd suggest the recent module, which I use in the following way (to limit incoming NTP requests to 20 packets per single IP during 60 seconds): iptables -I INPUT -i eth0 -p udp --dport 123 -m recent --set iptables -I INPUT -i eth0 -p udp --dport 123 -m recent --update --seconds 60 --hitcount 20 -j DROP The recent module has some limitations on the number of addresses and packets per address it remembers (with the defaults being 100 last addresses and 20 packets per address). You can increase those limits when loading the iptables recent module, some more info on this here: http://unix.stackexchange.com/questions/76271/iptables-recent-module I have been using the recent module for a few years to filter NTP traffic without problems. Just make sure you don't cross the module limits (or adjust them). Matej _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
