The Netfilter system includes a variety of matchers which we can use to implement rate limiting solutions. A non-exhaustive list is given below along with a brief description of each module. We shall be covering all of these in turn in the following sections.

limit

  This matcher can be used to limit matching of a rule to a rate specified.  Any rule which includes this matcher will only match while the limit has not been exceeded. 
  

connlimit

  This matcher can be used to limit matching of a rule based on the number of existing active connections from a given host or address block.  Any rule which includes this matcher will only match while the number of connections is above, or below if negated, the number specified. 
  

hashlimit

  This matcher can be used to limit matching of a rule to a rate specified on a per address, or per address-port tuple, basis.  Any rule which includes this matcher will only match while the limit has not been exceeded for the specified source or destination address. 
  

recent

  This matcher can be used to create, update, and perform actions based on the contents of dynamic lists of addresses.  It can be used to create extremely complex rules and is ideal for creating dynamic behaviours such as automated retaliation and port "knocking" activated rules. 

As you can see there is a matcher for pretty much every imaginable scenario.

Simple rate limiting is adequate for controlling the size of a log file it is not really suitable for much else. We could use it to limit the number of connection attempts to a particular service in any given period, for example, but as it pays no regard to who is attempting to connect this would just be a recipe for an easy denial of service attack.

iptables -N LOGDROP
iptables -A LOGDROP -j LOG --log-prefix 'FIREWALL - DROP:' --log-level info
iptables -A LOGDROP -m limit --limit 1/second --limit-burst 20 \
   -j LOG --log-prefix 'FIREWALL - DROP:' --log-level info
iptables -A LOGDROP -j DROP

Sometimes it can be useful to be able to control the number of simultaneous connections which may be opened to a particular resource from a given host or network. A good example of this would be the ssh protocol as each connection requires a fairly significant quantity of system resources to maintain.

As remote shell access is a fairly commonly offered service, and one which it is desirable to exert some level of control over, let's modify our firewall configuration script to only allow a maximum of two simultaneous ssh connections from any address. This can be done by inserting a rule into our script as shown below.

iptables -A TCP-IN-REQ   -p tcp --dport ssh -m state --state NEW \
   -m connlimit --connlimit-above 2 -j REJECT --reject-with icmp-admin-prohibited
iptables -A TCP-IN-REQ   -p tcp --dport ssh -m state --state NEW         -j ACCEPT
iptables -A TCP-IN-REQ   -p tcp --dport ssh -m state --state ESTABLISHED -j ACCEPT
iptables -A TCP-OUT-RESP -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT