Rate limiting applied at the lowest layer you possibly have access to. Note: these are examples only, not a full configuration.
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
### add your usual safety tricks here ###
### don't forget to allow established and related connections
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
### rate limit examples:
# SSH
# be careful with this one, seriously slows SCP down
-A INPUT -m tcp -p tcp --dport 22 -m state --state NEW -m limit --limit 4/s --limit-burst 4 -j ACCEPT
# webserver
-A INPUT -m tcp -p tcp --dport 80 -m state --state NEW -m limit --limit 128/s --limit-burst 128 -j ACCEPT
COMMIT(Oh, by the way: this entry was written by Peter Molnar, and originally posted on petermolnar dot net.)
