What exactly do --limit 1/s and --limit-burst mean in iptables rules?
The math is fully explained in the netfilter docs, but it's reasonable to say that the
limit-burst argument specifies the number of matches that are allow through before the
limit of 1 per second "kicks in". These two rules both apply only to ICMP echo request packets (incoming PING requests). These are not per-host limits and apply to anything the rule matches (which, in this case, would be all ICMP echo requests).
--limit: Specifies the rate at what tokens get refilled into the bucket.
4/hour means 4 tokens per hour (1 token every 15 minutes).
--limit-burst: Specifies the maximum amount of tokens that can be filled in the bucket. (This is also the amount of tokens the bucket starts out with).