On 2012-01-11 John Lange wrote:
iptables -A input_ext -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
In short, limit to 3 new connections per minute.
Better late than never... here's my 2c (I'd consider myself a netfilter wizard, toot toot)
If the rules mostly work except for the small limits, just up the limit for that 1 rule. Set it to like 100-1000 should be ok and still stop floods. If this box is behind a firewall (ie: not exposed to the internet) then deleting the rule completely should be safe.
It seems like netfilter blocked the ip on the rate limit rule and now its "stuck".
Nah, it doesn't do that. As soon as you flush the rules, they are gone. Any conntrack remaining would timeout and disappear as a limitation. Must be something else.
I would strongly suspect that your default policies are set to DROP? You could try setting them to ACCEPT. Dan Martin's script had this near the end.
If you're still stuck, send your output from: iptables -L -n -v