Connection Limiting in iptables

Theoretically, you can change the connection limit of any TCP-based service dynamically (on the fly) using iptables. Simply set your service to a good hard maximum (the maximum number of users that would EVER access the service at one time). Then make an ACCEPT rule that matches --state ESTABLISHED --limit x/minute. Next, you can either make a DROP rule matching exactly the same ip/port as the first rule.. (if you dont care about users complaining that the service acts like its going to connect and then just sits there, as would be the case if the maximum is reached). Or, alternatively, you could code a special daemon for your service that sends out nothing but "server full" messages, and put a MANGLE rule underneath the ACCEPT rule, which redirects users to the "server full" daemon. The neat thing about this particular approach is that you only need one "server full" daemon per network. Simply MANGLE the leftover connections to hit the "server full" daemon, regardless of where it sits.