iptables v1.3 and newer come with a module 'recent' which allows users
to limit access based on time.

To allow only 3 connect attempts from any single IP address in any 2 minute window

# rule to accept but also log new ssh valid connections
iptables -N acceptlog
iptables -A acceptlog -j LOG --log-prefix "*** ACCEPT LOG ***"
iptables -A acceptlog -j ACCEPT

# rule runs against all new ssh connections, and drops repeat offenders
iptables -N SSH_CHECK
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSHDROP
iptables -A SSH_CHECK -m recent --update --seconds 120 --hitcount 4 --name SSHDROP -j DROP

# Finally accept anyone who makes it through the gate
iptables -A INPUT -i eth0 -p tcp --syn --destination-port 22 -j acceptlog