On Wed, 30 Oct 2002, Dale Bewley wrote: > Do you have ip forwarding turned on in the kernel? > > [root@boss etc]# grep forward /etc/sysctl.conf > # Disables packet forwarding > net.ipv4.ip_forward = 1 > > You might also put the following on your INPUT and FORWARD chains and then > watch /var/log/messages while you test. > > IPTABLES=/sbin/iptables > LOG="LOG --log-level 6 --log-prefix" > LIMIT="limit --limit-burst 10 --limit 6/minute" > # dropped by default > $IPTABLES -A INPUT -m $LIMIT -j $LOG "INPUT packet died: " > $IPTABLES -A INPUT -j DROP > $IPTABLES -A FORWARD -m $LIMIT -j $LOG "FORWARD packet died: " > $IPTABLES -A FORWARD -j DROP
while i'm still puzzled about the meaning of the "limit-burst" value and how it works, the above use of limit seems backwards. according to the man page for iptables, when you define a limit match, "A rule using this extension will match until this limit is reached..." this suggests that, if the limit rules you've defined above match, that's because you *haven't* exceeded the limit yet. or am i reading this backwards? rday
