Hi, and welcome to Ubuntu forums.
I think the "recent" module is the one you might want to try. Here is an example use for detecting and preventing incoming SSH attacks on my server:
Code:
# Dynamic Badguy List. Detect and DROP Bad IPs that do password attacks on SSH.
# Once they are on the BADGUY list then DROP all packets from them.
# Sometimes make the lock time very long. Typically to try to get rid of coordinated attacks from China.
$IPTABLES -A INPUT -i $EXTIF -m recent --mask $BIT_MASK --update --hitcount 3 --seconds 90000 --name BADGUY_SSH -j LOG --log-prefix "SSH BAD:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m recent --mask $BIT_MASK --update --hitcount 3 --seconds 90000 --name BADGUY_SSH -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 -m recent --mask $BIT_MASK --set --name BADGUY_SSH -j ACCEPT
Where:
Code:
IPTABLES=/sbin/iptables
EXTIF="enp1s0"
BIT_MASK="255.255.252.0"
UNIVERSE="0.0.0.0/0"
And, of course, this rule is somewhere earlier:
Code:
# Allow any related traffic coming back to the server in.
#
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
I do not understand enough about your application to know if such code would need to be modified to go in the OUTPUT or FORWARD chain. Depending on the magnitude of your issues and your desired hitcounts, you might need to increase table sizes from the default values.