Short version of this.
To allow SSH TCP connections, but only 10 new per 60 seconds:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
To check current list (from the man page):
cat /proc/net/xt_recent/DEFAULT
Test with:
#!/bin/bash ip="1.2.3.4" port="22" for i in {1..100} do echo "attempt $i" # do nothing just connect and exit echo "exit" | nc ${ip} ${port}; done