Limit max connections per IP address and new connections per second with iptables
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 --connlimit-mask 32 -j REJECT --reject-with tcp-reset
This will reject connections above 15 from one source IP.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 150/second --limit-burst 160 -j ACCEPT
In this 160 new connections (packets really) are allowed before the limit of 150 NEW connections (packets) per second is applied.
The second rule does NOT work on "new connections". It explicitly affects existing ("ESTABLISHED") connections. To do new connections, you would want --state NEW. You might also consider using `-m conntrack --ctstate` in place of `-m state --state`. conntrack is new and improved vs. state.
the comment above for adding the 2nd rule to `NEW` connections - do not do that - it effectively turns your `INPUT` chain into a default `accept` !!!