~ # iptables --line-numbers -v -L INPUT Chain INPUT (policy DROP 198K packets, 19M bytes) num pkts bytes target prot opt in out source destination ... 9 13319 794K CONNRATELIMIT tcp -- eth0 any !192.168.0.0/24 funkmunch.net multiport dports ftp,ssh,smtp,pop3 ... ~ # iptables --line-numbers -v -L CONNRATELIMIT Chain CONNRATELIMIT (1 references) num pkts bytes target prot opt in out source destination 1 1 60 tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN recent: SET name: tcp side: source 2 1 60 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN recent: CHECK seconds: 120 hit_count: 10 name: tcp side: source LOG level warning 3 1 60 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN recent: CHECK seconds: 120 hit_count: 10 name: tcp side: source The above rules block every SYN packet, though they should allow 10 every 2 minutes per ip address, then start blocking according to the manual. Reproducible: Always Steps to Reproduce: 1. create above rules with ipt_recent module 2. echo 'clear' > /proc/net/ipt_recent/tcp 3. try to connect Actual Results: connection refused, every time, even just after a clear. Expected Results: connection allowed 10 times per 2 minutes per ip address # iptables --version iptables v1.3.3 # uname -a Linux peladrine 2.6.12-gentoo-r3.peladrine #1 Wed Jul 6 03:16:37 EST 2005 i686 AMD Duron(tm) Processor AuthenticAMD GNU/Linux # emerge info Portage 2.0.52-r1 (default-linux/x86/2005.0, gcc-3.4.4, glibc-2.3.5-r1, 2.6.12- gentoo-r3.peladrine i686) ================================================================= System uname: 2.6.12-gentoo-r3.peladrine i686 AMD Duron(tm) Processor Gentoo Base System version 1.12.0_pre6 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.4 [enabled] dev-lang/python: 2.3.5, 2.4.1-r1 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.18-r1 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -pipe -march=athlon-tbird -maccumulate-outgoing-args -mcpu=athlon-tbird - momit-leaf-frame-pointer -mfpmath=387 -mtune=athlon-tbird -fexpensive-optimizations - fmove-all-movables -fomit-frame-pointer -fprefetch-loop-arrays -frerun-cse-after-loop -frerun-loop-opt -ftracer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/texmf/web2c /etc/env.d" CXXFLAGS="-O2 -pipe -march=athlon-tbird -maccumulate-outgoing-args -mcpu=athlon-tbird -momit-leaf-frame-pointer -mfpmath=387 -mtune=athlon-tbird -fexpensive-optimizations -fmove-all-movables -fomit-frame-pointer -fprefetch-loop-arrays -frerun-cse-after- loop -frerun-loop-opt -ftracer -fvisibility-inlines-hidden" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distcc distlocks fixpackages sandbox sfperms strict" GENTOO_MIRRORS="http://mirror.isp.net.au/pub/gentoo/ http://mirror.aarnet.edu.au/pub/ gentoo/ http://mirror.pacific.net.au/linux/Gentoo" MAKEOPTS="-j6" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://mirror.wa.3fl.net/gentoo-portage" USE="3dnow 3dnowext X509 a52 aac acpi alsa apache2 apm atm avi bash-completion berkdb big-tables bind-mysql bitmap-fonts bzip2 bzlib caps cli crypt curl dba dedicated divx4linux djbfft dts dvd eds emboss encode erandom exif extensions fame fastcgi foomaticdb fortran ftp gd-external gdbm gif glibc-omitfp gnutls gpm gstreamer gtk2 hardenedphp hpn imagemagick imagemajick imlib inifile ipv6 ithreads jpeg junit libg++ libwww linuxthreads-tls lzo mad math mbox memlimit mhash mikmod mime mjpeg mmap mmx mmxext mod_perl mod_php mp3 mpeg mpm-worker mysql mysqli ncurses network nls nocd nojoystick novideo nptl offensive ogg oggvorbis oss pam pam_chroot pam_console pam_timestamp pcre pdflib perl php png posix pvm python readline samba session shared sharedext soap sockets socks5 sse ssl tcpd tetex threads tokenizer truetype-fonts type1-fonts usb userlocales vhosts vorbis win32codecs x86 xinetd xml xml2 xmlrpc xsl xvid yv12 zip zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS
try different versions of iptables / kernel and see if you can find one that works
and/or file a bug with upstream iptables http://bugzilla.netfilter.org/