What can Limit Module Do?

"This module matches at a limited rate using a token bucket filter. A rule using this extension will continue matching until the limit is reached."

Using Limit Module to Perform Flow Control

• Assign the rate of matching
• For example, matching rate = 5 times / sec
  • This matching rule will be executed at most 5 times per seconds; after 5 times, no matter the package header matches this rule correctly or not, this rule won't accept it.

Two Basic Parameters

• --limit [rate]

• --limit-burst [number]

--limit [rate]

iptables -A INPUT -p icmp -s 127.0.0.1 -m limit --limit 6/m -j ACCEPT

load in the Limit Module

assign the matching rate

The rate can be:

• times / s
• times / m
• times / h

>> iptables -A INPUT -p icmp -s 127.0.0.1 -m limit --limit 6/m -j ACCEPT
PING test (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=56 time=20.5 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=56 time=15.9 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=56 time=13.3 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=56 time=13.2 ms
64 bytes from 127.0.0.1: icmp_seq=5 ttl=56 time=17.8 ms
64 bytes from 127.0.0.1: icmp_seq=11 ttl=56 time=14.2 ms
64 bytes from 127.0.0.1: icmp_seq=21 ttl=56 time=16.7 ms
64 bytes from 127.0.0.1: icmp_seq=31 ttl=56 time=17.5 ms
64 bytes from 127.0.0.1: icmp_seq=41 ttl=56 time=17.9 ms
64 bytes from 127.0.0.1: icmp_seq=51 ttl=56 time=16.1 ms
64 bytes from 127.0.0.1: icmp_seq=61 ttl=56 time=14.7 ms
64 bytes from 127.0.0.1: icmp_seq=71 ttl=56 time=13.2 ms
64 bytes from 127.0.0.1: icmp_seq=81 ttl=56 time=15.7 ms

Example

In this example, ping sent an icmp package 1 time per second ...

--limit-burst [number]

iptables INPUT -p icmp -s 127.0.0.1 -m limit --limit 6/m --limit-burst 9 -j ACCEPT

--limit-burst works as an decumulator, it decreases by 1 when any input package matches the rule.

When --limit-burst becomes 0, the rate mechanism (flow control) mentioned previously will then take the charge.