Wednesday, October 29, 2003, 9:12:01 PM, you wrote: jso> Hallo Robert, jso> On Wed, 29 Oct 2003 13:31:10 -0500 (EST) jso> "Robert P. J. Day" <rpjday@xxxxxxxxxxxxxx> wrote: >> >> it's not clear from the man page how to reverse the meaning >> of a limit match. if i want to accept everything *over* a given >> limit, i'm supposed to use the "!". but where? is it like >> this? >> >> -m ! limit -- limit ... etc etc ... jso> -m limit ! --limit ... >> jso> Take a look at http://iptables-tutorial.frozentux.net/ . There will you jso> find a good tutorial for iptables. Limit cannot be negated, instead write smart limit rules, for example to allow 5 incoming icmp packets a minute the rule would look like: iptables -A INPUT -p icmp -m limit --limit 5/min --limit-burst 1 -j ACCEPT iptables -A INPUT -p icmp -j DROP or for example to disallow 5 incoming icmp packets a minute but allow all other: iptables -A INPUT -p icmp -m limit --limit 5/min --limit-burst 1 -j DROP (optional) iptables -A INPUT -p icmp -j ACCEPT P.Krumins
