@ Charles: What I would suggest for your case it to put the SSH rule outside of the rate limiting general rule:
By the way (mostly for other readers, as I think Charles has seen this before), here are my rules for ssh:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Slow down log clutter from bruteforce attacks
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j REJECT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
# Set general rate limiting
-A INPUT -p tcp -m state --state NEW -m limit --limit 30/min --limit-burst 5 -j ACCEPT
# Accept ICMP packets
-A INPUT -p icmp -j ACCEPT
# Allow HTTP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Allow HTTPS
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# Allow loopback
-A INPUT -i lo -j ACCEPT
# Reject everything else
-A INPUT -j REJECT
Notice that I drop all packets, not just port 22 packets, once they get on my "list".While very rare, I have had attacks over many many ports at once. The other thing I do is have a very long timeout, as I have seen many of these password bots come back after a short time. Notice also, the logging rule aside, this method uses 1 less rule.
# Secure Shell on port 22.
# Dynamic Badguy List. Detect and DROP Bad IPs that do password attacks on SSH.
# Once they are on the BADGUY list then DROP all packets from them.
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 3 --seconds 5400 --name BADGUY_SSH -j LOG --log-prefix "SSH BAD:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 3 --seconds 5400 --name BADGUY_SSH -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 -m recent --set --name BADGUY_SSH -j ACCEPT
Also, Myself I have had difficulties with rate limiting for incoming port 80 on my web site. I seem to keep hitting the limits for real accesses, or backing off so far, that it is of little use. Rate limiting has been useful for port 25 (e-mail) though.
@Leo: Glad you got it working.