On Mon, Nov 01, 2004 at 11:55:27AM -0800, Rajesh Menon wrote: > Hello, > > I have a rule in my output chain as follows: > > iptables -A OUTPUT -o <external-IF> -m limit --limit > 15/minute --limit-burst 10 -j LOG --log-prefix > "GW->Intet: " > > 1. Would this rule LOG packets as long as the rule is > matched? yes--conditional on your limit match. read rusty's description on the "hysteresis door" algorithm used by limit/limit-burst under "Other Match Extensions" at: http://netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-7.html > 2. If the limit is reached (15/min) would the packets > stop going to the next rule in the chain? no--"-j LOG" is a non-terminating match (packets will never stop traversing rules/chains/tables when they match) > 3. Supposing I have this rule after the above rule > > iptables -A OUTPUT -j ACCEPT this rule matches all packets, and no rules after this rule will match in the OUTPUT chain. -j -- "No jury in the world is going to convict a baby ... Maybe Texas." --The Simpsons
