Articles

Fix iptables hashlimit Requires More Arguments Errors (2026)

April 18, 2026 4 min read

The iptables hashlimit module failed because it was given an incomplete rule, expecting more parameters to define the rate-limiting behavior.

This typically happens when you’re trying to set up rate limiting on a specific port or IP address but haven’t fully specified the limits you want to enforce. The hashlimit module needs to know how much to limit and over what time period.

Here are the common reasons this error pops up and how to fix them:

  • Missing Rate Specification: The most frequent cause is forgetting to specify the actual rate limit. You might have hashlimit --hashlimit-above 10/sec but forgot the unit or the time period.

    • Diagnosis: Examine your iptables rule. Look for the --hashlimit-above or --hashlimit-burst options.
    • Fix: Ensure you have a valid rate like 10/sec, 60/min, 3600/hour. For example, to limit to 10 connections per second:
      iptables -A INPUT -p tcp --dport 22 -m hashlimit --hashlimit-above 10/sec --hashlimit-mode srcip --hashlimit-name sshd --hashlimit-htable-expire 300000 -j ACCEPT
    • Why it works: The module needs a concrete value and a time unit to understand what constitutes "too much."

  • Incorrect Time Unit: You might be using a time unit that iptables doesn’t recognize or that’s syntactically incorrect.

    • Diagnosis: Check the time units used with --hashlimit-above.
    • Fix: Use standard units: sec (second), min (minute), hour, day. For example, limiting to 50 packets per minute:
      iptables -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-above 50/min --hashlimit-mode srcip --hashlimit-name httpd --hashlimit-htable-expire 300000 -j ACCEPT
    • Why it works: iptables has a defined set of recognized time quantifiers for rate limiting.

  • Missing Mode Specification: The hashlimit module needs to know what to count. Is it per source IP, per destination IP, per source IP and destination IP, etc.?

    • Diagnosis: Look for the --hashlimit-mode option. If it’s absent, or if the specified mode is invalid, this is your problem.
    • Fix: Specify a valid mode. Common ones are srcip, dstip, srcip,dstip. To limit per source IP:
      iptables -A INPUT -p udp --dport 53 -m hashlimit --hashlimit-above 100/sec --hashlimit-mode srcip --hashlimit-name dns -j ACCEPT
    • Why it works: This tells iptables the granularity of the rate limit, ensuring it tracks counts correctly for individual clients or connections.

  • Incorrect Burst Value Format: If you’re using --hashlimit-burst, it might be formatted incorrectly.

    • Diagnosis: Verify the value provided to --hashlimit-burst.
    • Fix: The burst value should be a simple integer, representing the number of packets allowed above the --hashlimit-above rate before triggering the action. For example, allowing a burst of 20 packets before enforcing the 10/sec limit:
      iptables -A INPUT -p tcp --dport 443 -m hashlimit --hashlimit-above 10/sec --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name httpsd -j ACCEPT
    • Why it works: The burst parameter allows for temporary spikes in traffic without immediately dropping packets, making rate limiting more forgiving.

  • Missing Hash Table Name: While not strictly an error that causes "Requires More Arguments," forgetting a name for the hash table can lead to confusion and is often co-located with other missing arguments. The --hashlimit-name is crucial for identifying the specific hash table being managed.

    • Diagnosis: Check if --hashlimit-name is present.
    • Fix: Assign a unique, descriptive name to your hash table. This name is used for logging and for managing the hash table itself (e.g., with iptables -L -v -n or iptables -S).
      iptables -A OUTPUT -p icmp -m hashlimit --hashlimit-above 20/min --hashlimit-name ping-flood -j ACCEPT
    • Why it works: A named hash table allows iptables to manage and track the rate-limiting state effectively and provides a clear identifier in logs.

  • Hash Table Size Not Specified (Less Common for This Specific Error): While the error message is usually about missing rate arguments, sometimes the underlying issue is a poorly configured hash table. The --hashlimit-htable-size and --hashlimit-htable-expire can influence how the table behaves. If these are set to invalid values, it could indirectly manifest.

    • Diagnosis: Check for --hashlimit-htable-size and --hashlimit-htable-expire for invalid numbers or units.
    • Fix: Ensure size is a power of 2 (e.g., 1024) and expire is in milliseconds (e.g., 300000 for 5 minutes).
      iptables -A INPUT -p tcp --dport 25 -m hashlimit --hashlimit-above 5/min --hashlimit-mode srcip --hashlimit-name smtp-limit --hashlimit-htable-size 1024 --hashlimit-htable-expire 600000 -j ACCEPT
    • Why it works: These parameters tune the performance and memory usage of the hash table that stores the rate-limiting counts.

After fixing these, you might encounter iptables: Too many arguments to match on if you’ve accidentally added an extra option that iptables doesn’t recognize for the hashlimit module itself.

Want structured learning?

Take the full Iptables course →