What exactly do --limit 1/s and --limit-burst mean in iptables rules?

The math is fully explained in the netfilter docs, but it's reasonable to say that the limit-burst argument specifies the number of matches that are allow through before the limit of 1 per second "kicks in". These two rules both apply only to ICMP echo request packets (incoming PING requests). These are not per-host limits and apply to anything the rule matches (which, in this case, would be all ICMP echo requests).

--limit: Specifies the rate at what tokens get refilled into the bucket. 4/hour means 4 tokens per hour (1 token every 15 minutes).

--limit-burst: Specifies the maximum amount of tokens that can be filled in the bucket. (This is also the amount of tokens the bucket starts out with).

I read both answers, but the actual man itables-extensions made me grok it:

limit

This module matches at a limited rate using a token bucket filter. A rule using this extension will match until this limit is reached. It can be used in combination with the LOG target to give limited logging, for example.

xt_limit has no negation support - you will have to use -m hashlimit ! --hashlimit rate in this case whilst omitting --hashlimit-mode.

• --limit rate[/second|/minute|/hour|/day] -- Maximum average matching rate: specified as a number, with an optional /second, /minute, /hour, or /day suffix; the default is 3/hour.

• --limit-burst number -- Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5.