Hi Samuel Yes, I want to limit (drop) as soon as we receive more than 1/s packet regardless of the source address?, Is there any other way to do that without using limit match with negation? Regards On 12 Jan 2005 at 9:20, Samuel Jean wrote: > On Mon, January 10, 2005 8:08 pm, Jorge Agrelo said: > > Can I replace this two rules > > > > iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j > > ACCEPT > > iptables -A INPUT -p tcp --syn -j DROP > > > > For only this one? (Using negation) > > > > iptables -A INPUT -p tcp --syn -m limit ! --limit 1/s --limit-burst 4 -j > > DROP > > Unfortunately, you can't without a bit of hacking. > If it happens you would, just grab ipt_limit.c and search for: > > /* We're underlimit */ > > Change the return codes so it returns 0 when 'underlimit', otherwise, 1. > Am sorry if this is straigh, I am at work. > Note that this won't add '!' support but just doesn't match unless it > bursts the limit. > > By the way, do you want to limit as soon as you receive more than 1/s packet > regardless of the source address? > > > > > Thanks in advanced > > HTH, > > Samuel > >
