I'd like to allow a connection to connect and communicate to a specific for as much as it wants for N minutes and then have iptables block the connection until the connection goes away. The details of WHY I want to do this are in this redhat bug regarding the NFS portmapper: https://bugzilla.redhat.com/show_bug.cgi?id=666932 [In short, Windows 7 nfs clients don't disconnect from it (even though they are done) and use up all of the portmapper file descriptors.] I've written a script that manually adds entries to iptables to kill the idle connections and also added keepalive to the portmapper process via libkeepalive. But a single iptables rule would be so much more elegant :) Looking at the --limit related options, it seems that all of the options are about limiting rate, not duration of a connection. Rich -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html