Iptables tips and tricks
 Limiting the number of connections
If you are using SSH then you will sooner or later notice someone trying to hack into your box using dictionary attacks.
You can use the iptables module recent to limit a minimum time between new connections from the same IP.
To make this work, you should have this commonly used rule (this allows previously established connections and is a normal rule in most firewalls):
iptables -A INPUT -j ACCEPT -p tcp ! --syn -s 0/0 -d (outer ip/net)
Now, to set the limit:
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT
These two rules makes iptables require 15 seconds between new connections from the same IP on port 22 (the SSH port). Use ACCEPT instread if you are using a firewall that has it's own rule for accepting ssh.
Another way of limiting dictionary attacks is to limit using -m limit --limit <rate> like this:
iptables -A INPUT -p tcp --dport ssh -m limit --limit 3/minute --limit-burst 2 -j ACCEPT
This rule does the trick of setting a limit of 3 connectoins pr minute, but the first two connections will exhaust the limit-burst, so the rule effectively limits the connection attempt rate to 1/minute.