Linux protects against DDoS attacks by iptables TCP connections and frequency _linux

CC attack a bit siege feeling, the correct setting of protection rules can be done in a very unstable, here gives a iptables IP connection frequency and concurrency restrictions, limit the single IP connection and frequency of the set rules introduced

#单个IP在60秒内只允许新建20个连接, this assumes that the Web port is 80,

Copy Code code as follows:

Iptables-i input-i eth1-p tcp-m tcp–dport 80-m state–state new-m recent–update–seconds 60–hitcount 20–name DE Fault–rsource-j DROP
Iptables-i input-i eth1-p tcp-m tcp–dport 80-m state–state new-m recent–set–name Default–rsource

#控制单个IP的最大并发连接数为20

Copy Code code as follows:

Iptables-i input-p tcp–dport 80-m connlimit–connlimit-above 20-j

#每个IP最多20个初始连接

Copy Code code as follows:

Iptables-i input-p tcp–syn-m connlimit–connlimit-above 20-j DROP

Parameter explanation:

-P Protocol
-M Module_name:
-m TCP means using the capabilities of the TCP extension module (the TCP extension module provides features such as –dport,–tcp-flags,–sync)
Recent module:
–name #设定列表名称, default defaults.
–rsource #源地址, this is the default.
–rdest #目的地址
–seconds #指定时间内
–hitcount #命中次数
–set #将地址添加进列表, and updates the information, including the timestamp of the added address.
–rcheck #检查地址是否在列表 to calculate the time as the first match begins.
–update #和rcheck类似 to calculate the time with the last match.
–remove #在列表里删除相应地址, followed by list name and address
Connlimit function:
The Connlimit module allows you to limit the number of concurrent connections per client IP, that is, each IP is connected to one server at a time.
The Connlimit module can restrict the network use of intranet users, and the server can limit the number of connections each IP initiates.
–connlimit-above N # is limited to how many
–connlimit-mask N # The Mask of this set of hosts, the default is Connlimit-mask 32, that is, each IP.