1. Limit the maximum number of IP connections to a 80-port connection to 10, which can be customized to modify.
The code is as follows |
Copy Code |
Iptables-i input-p TCP--dport 80-m connlimit--connlimit-above DROP |
2. Use the recent module to limit the number of new requests connected to the same IP time, recent more features please refer to: Iptables Module recent application.
The code is as follows |
Copy Code |
Iptables-a input-p TCP--dport--syn-m recent--name webpool--rcheck--seconds--hitcount LOG 10-j ' DDOS: '--log-ip-options #60秒10个新连接, more than record log. Iptables-a input-p TCP--dport--syn-m recent--name webpool--rcheck--seconds---hitcount 10-j DROP #60秒10个新连接, more than discarded packets. Iptables-a input-p TCP--dport--syn-m recent--name webpool--set-j ACCEPT #范围内允许通过. |
The above is relatively simple, below I will analyze more specific configuration methods. Centos/redhat/fedora
Executing on the server
The code is as follows |
Copy Code |
Vi/etc/sysconfig/iptables Delete the original content and enter the following content to save # generated by Iptables-save v1.3.5 on Sun Dec 12 23:55:59 2010 *filter : INPUT DROP [385,263:27,864,079] : FORWARD ACCEPT [0:0] : OUTPUT ACCEPT [4,367,656:3,514,692,346] -A input-i lo-j ACCEPT -A input-m state–state related,established-j ACCEPT -A input-p icmp-j ACCEPT -A input-s 127.0.0.1-j ACCEPT -A input-p tcp-m tcp–dport 80-m state–state new-m recent–set–name Web–rsource -A input-p tcp-m tcp–dport 80-m state–state new-m recent–update–seconds 5–hitcount 20–rttl–name web–rsource-j DROP -A input-p tcp-m multiport–ports 21,22,80-j ACCEPT -A input-p tcp-m tcp–tcp-flags syn,rst,ack syn-m ttl–ttl-eq 117-j DROP -A input-p tcp-m tcp–tcp-flags syn,rst,ack syn-m length–length 0:40-j DROP -A input-p tcp-m TCP! –tcp-flags syn,rst,ack syn-m state–state new-j DROP COMMIT # Completed on Sun Dec 12 23:55:59 2010 |
This setting only opens to the open (FTP), (SSH), three TCP ports (HTTP Web site). Set up 20 connections in 80 port 5 Seconds
Restart Iptables Service/etc/init.d/iptables restart
Set iptables random boot chkconfig iptables on