We are about to start hosting one of our web sites internally, but before we do, we want to implement some rate limitting/QoS protection on our linux firewall.

This website is only the company intranet (that we want accessible from home). There would likely only ever be 20 remote connections at a time.

We will be using:
iptables ... -m recent --update --seconds X --hitcount Y
(as well as a few other things), but I am unsure what the best practice is for this.

What I want to know, is the typical/recommended numbers I should use for seconds and for hitcount. Is there a good web site that has good guidelines for this?