One of my servers started getting heavily loaded a few weeks ago for a few hours, so I did some studying and wrote a script to use netstat to get the IP addresses connected and the count. I put a new chain in iptables and if an IP is using more than 40 connections, it gets added to that chain which is then flushed every hour just to make sure no legitimate IP is blocked forever. If an IP is connected more than 100 times, it gets added directly to the INPUT chain and therefore is permanent until manually removed.

I'm mainly trying to figure out if those counts are good limits. Can there be legitimate reasons for an IP to be using more than 40 connections at a time? I tested going to a web page with 200 thumbnail images, and even then my IP was only listed a few times.

Have you isolated what programs were being accessed by those addresses? Depending on what exactly your script is doing, it may not be a practical idea. Large companies often have gateways which will make it seem as if one person (one IP) is accessing hundreds of instances of a page. So imagine say 200 people at Cisco viewing your site. While you see it as one address, the fact is, there are many people viewing the site.

What is the overall purpose of your script. Considering I can spoof addresses, if your firewall is misconfigured, your provider isn't doing BCP filtering, as an attack vector, I can make your server ignore everything via 0.0.0.0 spoofing.

It's been different files and scripts, but mostly just files, being accessed at a high count of one IP like that.

Here's an example from log files for one case:

Netstat showed that IP many times, so it wasn't their computer downloading a video a bit at a time. It looked more like they were downloading the same video a high number of times at once. There are about 400 videos there, so it wasn't 50 different people with the same OS and same gateway downloading the same video at the same time.

That IP is from Malaysia.
The host is: 33.105.50.60.klj03-home.tm.net.my and is probably from MY (MALAYSIA)

Most of the high count IPs have been from Malaysia, Taiwan, Poland, Japan and China.

When the server first started having high load trouble, I found the high number of connections to one file and renamed the file, then minutes later the same IP would have a high number of connections to a different file, then I blocked the IP from that site and minutes later the same file was being accessed a high number of times from a different IP. I wrote a little script to block IPs from that site automatically, then the IP would just keep changing and show as being from different countries. The script would just block access to the one site which meant giving a 403 page each time. Next thing I knew, the volume was climbing and they were just getting the 403 page 100 times a second. Definitely looked to me like someone was trying to crash the server, so I had to look into blocking them from the whole server.

Since I started running my auto iptables script a week ago, the server load has pretty much quit spiking.

The odds of many people from one company on the same router going to a site at the same time is quite slim, but later on I can adjust my script to check the log files to see if the IPs are all accessing the same file and using the same browser which would help prevent them from being blocked.

You may want to consider either blocking or bandwidth throttling.
There are a number of ways to set bandwidth limits depending on your configuration.