John Jung wrote: > Hi Michael, > > Michael Hissler wrote: >> iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT >> iptables -A INPUT -p tcp --dport 23 -m state --state NEW -m hashlimit >> --hashlimit 1/hour --hashlimit-mode srcip --hashlimit-burst 1 >> --hashlimit-name test -j ACCEPT >> iptables -A INPUT -p tcp --dport 23 -m state --state NEW -j REJECT > > This still doesn't quite do what I want it to do (I'm able to open up > more than 1 telnet session per IP per hour), but it's close enough for > what I need. Sorry, my fault! I forgot to add '--hashlimit-htable-expire 3600000'. Per default, hashtable entries expire after 10 seconds. See /proc/net/ipt_hashlimit/test, the first column shows the remaining time in seconds. michael
