# [solved]"--match conntrack --ctstate NEW" versus "--syn"

## toralf

I do wonder if there's a different behaviour of iptables wrt the commands above?Last edited by toralf on Mon Dec 18, 2017 1:28 pm; edited 1 time in total

----------

## Ant P.

--syn only works for TCP, conntrack works on any protocol.

----------

## toralf

 *Ant P. wrote:*   

> --syn only works for TCP, conntrack works on any protocol.

 ah - thx, so --syn is ok here.

BTW I do wonder why this rule

```
iptables -A OUTPUT -p tcp --destination-port 443 --syn --match connlimit --connlimit-above $max --connlimit-mask 0 --connlimit-daddr --match limit --limit 10/minute -j LOG --log-prefix "rule hit "
```

fires 2x within the same second :

```

Dec 17 18:54:13 mr-fox kernel: [ 7703.188832] rule hit IN= OUT=eth0 SRC=5.9.158.75 DST=52.214.218.140 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23278 DF PROTO=TCP SPT=54074 DPT=443 

Dec 17 18:54:13 mr-fox kernel: [ 7703.190016] rule hit IN= OUT=eth0 SRC=5.9.158.75 DST=52.214.218.140 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=45436 DF PROTO=TCP SPT=54076 DPT=443 
```

- does this happen b/c the source port do differ ?

----------

## Hu

There exists a quirk in the rate limiter related to burst activity.  See man iptables-extension section limit for full details.  In short, if you don't specify --limit-burst N, then N is assumed to be 5 (according to the man page here, at least), so it can burst log up to 5 messages before settling to the average that you specified of 10 per minute.

```
       --limit rate[/second|/minute|/hour|/day]

              Maximum average matching rate: specified as a  number,  with  an

              optional  `/second',  `/minute',  `/hour', or `/day' suffix; the

              default is 3/hour.

       --limit-burst number

              Maximum initial number of packets to  match:  this  number  gets

              recharged  by  one  every  time the limit specified above is not

              reached, up to this number; the default is 5.
```

----------

## toralf

 *Hu wrote:*   

> There exists a quirk in the rate limiter related to burst activity.  See man iptables-extension section limit for full details.  In short, if you don't specify --limit-burst N, then N is assumed to be 5 (according to the man page here, at least), so it can burst log up to 5 messages before settling to the average that you specified of 10 per minute.

 indeed - thx !

----------

