John Jung wrote: [...] > I think hashlimit is the key, but it really just doesn't want to work > for me. For example, I've tried: > > iptables -A INPUT -p tcp --dport 23 -m hashlimit --hashlimit 1/hour > --hashlimit-mode srcip --hashlimit-burst 1 --hashlimit-name test > -j REJECT The hashlimit match works the other way round. Try '-j ACCEPT' and append a rule to drop/reject connections to this port. You should also use the state match, as you want to filter connections, not packets. So try this: iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 23 -m state --state NEW -m hashlimit --hashlimit 1/hour --hashlimit-mode srcip --hashlimit-burst 1 --hashlimit-name test -j ACCEPT iptables -A INPUT -p tcp --dport 23 -m state --state NEW -j REJECT (If you enter the rules in this order, you can omit the '-m state --state NEW' in the last rule, but OTOH it doesn't hurt.) michael
