What exactly do --limit 1/s and --limit-burst mean in iptables rules?

Solution 1:

The math is fully explained in the netfilter docs, but it's reasonable to say that the limit-burst argument specifies the number of matches that are allow through before the limit of 1 per second "kicks in". These two rules both apply only to ICMP echo request packets (incoming PING requests). These are not per-host limits and apply to anything the rule matches (which, in this case, would be all ICMP echo requests).

Solution 2:

--limit: Specifies the rate at what tokens get refilled into the bucket. 4/hour means 4 tokens per hour (1 token every 15 minutes).

--limit-burst: Specifies the maximum amount of tokens that can be filled in the bucket. (This is also the amount of tokens the bucket starts out with).