The iptables recent match module is pretty cool; things like keeping the sodding ssh brute force guessers at bay are trivial: accept only X new connections to the ssh port within a minute, if not coming from a trusted known network. Two iptables-lines.

Unfortunately, the module isn't overly stable internally and there's some rollover bugs like this one. I'd still give it some extra coolness points for allowing me to implement Port Knocking without any userland tools in 5 minutes:

# firewall that allows access to test service tcp 666 for 5 secs
# after port knocking to tcp ports 7481 and 3119 within 10 seconds
# use with netcat: nc targetbox 7481; nc targetbox 3119; nc targetbox 666;
iptables -F; iptables -X
iptables -N KNOCK1; iptables -N KNOCK2; iptables -N KNOCK3

iptables -A INPUT -p tcp --dport 7481 -j KNOCK1 
iptables -A INPUT -p tcp --dport 3119 -j KNOCK2
iptables -A INPUT -p tcp --dport 666 -m state --state NEW -m recent \
    --seconds 10 --rcheck --name KNOCKED -j ACCEPT
iptables -A INPUT -p tcp --dport 666 -m state --state NEW -j DROP

# if we see first: update first counter, reset second counter and reject
iptables -A KNOCK1 -m recent --set --name SEENFIRST
iptables -A KNOCK1 -m recent --remove --name KNOCKED
iptables -A KNOCK1 -j REJECT

# if we see second: update second counter, but only if first is given
iptables -A KNOCK2 -m recent --rcheck --name SEENFIRST --seconds 5 -j KNOCK3
iptables -A KNOCK2 -m recent --remove --name SEENFIRST

iptables -A KNOCK3 -m recent --set --name KNOCKED
iptables -A KNOCK3 -j REJECT