I don't have an answer for nr. 2 (see below).
For 1. and 3. you can use the limit module:
Control the network packet number rate:
iptables -A OUTPUT -m limit --limit 10/s -j ACCEPT
Control the total number of open TCP connections (per second):
iptables -A INPUT -m state -m tcp -p tcp --dport 80 --state RELATED,ESTABLISHED -m limit --limit 10/second -j ACCEPT
Alternatively you can use the hashlimit module:
Control the network packet number rate:
iptables -A INPUT -m hashlimit -m tcp -p tcp --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-above 10/sec --hashlimit-burst 2 --hashlimit-htable-expire 30000 --hashlimit-name pktlimit -j DROP
Control the total number of open TCP connections (per second):
iptables -I INPUT -m hashlimit -m tcp -p tcp --dport 80 --hashlimit-above 10/sec --hashlimit-mode srcip --hashlimit-name connlimit -m state --state RELATED,ESTABLISHED -j DROP
You can monitor how hashlimit is performing for you by looking at:
cat /proc/net/ipt_hashlimit/pktlimit
cat /proc/net/ipt_hashlimit/connlimit
EDIT:
In a world where NAT is dominant, does it really make sense to limit the number of source IP addresses like you want to do in nr. 2? I think it makes more sense to limit the total number of open TCP connections, like this:
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with tcp-reset