Mitigating DDoS attacks
#防止SYN攻击, lightweight prevention
Iptables-n Syn-flood
Iptables-a input-p tcp–syn-j Syn-flood
Iptables-i syn-flood-p tcp-m limit–limit 3/s–limit-burst 6-j return
Iptables-a syn-flood-j REJECT
#防止DOS太多连接进来, you can allow the external network card to each IP up to 15 initial connections, over the discarded
Iptables-a input-i eth0-p tcp–syn-m connlimit–connlimit-above 15-j DROP
Iptables-a input-p tcp-m state–state established,related-j ACCEPT
#用Iptables缓解DDOS (same argument as above)
Iptables-a input-p tcp--syn-m limit--limit 12/s--limit-burst 24-j ACCEPT
Iptables-a forward-p tcp--syn-m limit--limit 1/s-j ACCEPT
Mitigating CC attacks
When the Apache site is hit by a serious cc attack, we can use Iptables to prevent the Web server from being cc-attacked and automatically masking attack IPs.
1. System Requirements
(1) LINUX kernel version: 2.6.9-42ELSMP or 2.6.9-55ELSMP (other kernel versions need to recompile the kernel, more cumbersome, but also achievable).
(2) iptables version: 1.3.7
2. Installation
Install the kernel modules corresponding to the iptables1.3.7 and system kernel versions Kernel-smp-modules-connlimit
3. Configure the corresponding iptables rules
Examples are as follows:
(1) Control the maximum number of concurrent connections for a single IP
Iptables-i input-p TCP--dport 80-m connlimit--connlimit-above 25-j REJECT #允许单个IP的最大连接数为25个
#早期iptables模块不包含connlimit, you need to compile the load yourself,
(2) control the number of new connections allowed for a single IP at a certain time (such as 60 seconds)
Iptables-a input-p TCP--dport 80-m recent--name bad_http_access--update--seconds--hitcount 30-j
Iptables-a input-p TCP--dport 80-m recent--name bad_http_access--set-j ACCEPT
#单个IP在60秒内只允许最多新建30个连接
Real-time view of the number of connections established by the simulated attack client
Watch ' Netstat-an | grep:21 | grep < attack ip>| Wc-l
To view the number of packets that simulate an attack client being DROP
Watch ' Iptables-l-n-v | grep < attack ip>
Add another: Configure firewalls to prevent Syn,ddos attacks
[Root@m176com ~]# Vim/etc/sysconfig/iptables
Add the following lines to the Iptables
#anti Syn,ddos
-A Forward-p TCP--syn-m limit--limit 1/s--limit-burst 5-j ACCEPT
-A Forward-p TCP--tcp-flags syn,ack,fin,rst rst-m limit--limit 1/s-j ACCEPT
-A forward-p ICMP--icmp-type echo-request-m limit--limit 1/s-j ACCEPT
Description
First line: Allow up to 5 new connections per second
Second line: Prevent various port scans
Third line: Ping flood attack (ping of Death)
Can be adjusted or closed as needed
Reboot firewall
[Root@m176com ~]#/etc/init.d/iptables Restart
Block an IP
# iptables-i Input-s 192.168.0.1-j DROP
How to prevent others ping me??
# iptables-a Input-p icmp-j DROP
Prevent synchronization Pack Floods (Sync Flood)
# iptables-a forward-p tcp--syn-m limit--limit 1/s-j
Prevent various port scans
# iptables-a forward-p tcp--tcp-flags syn,ack,fin,rst rst-m limit--limit 1/s-j ACCEPT
Ping flood Attack (ping of Death)
#iptables-A forward-p ICMP--icmp-type echo-request-m limit--limit 1/s-j
# NMAP FIN/URG/PSH
# iptables-a input-i eth0-p tcp--tcp-flags all fin,urg,psh-j DROP
# Xmas Tree
Iptables-a input-i eth0-p tcp--tcp-flags all all-j DROP
# Another Xmas Tree
# iptables-a input-i eth0-p tcp--tcp-flags all syn,rst,ack,fin,urg-j DROP
# Null Scan (possibly)
Iptables-a input-i eth0-p tcp--tcp-flags all none-j DROP
# Syn/rst
# iptables-a input-i eth0-p tcp--tcp-flags syn,rst syn,rst-j DROP
# Syn/fin--Scan (possibly)
# iptables-a input-i eth0-p tcp--tcp-flags syn,fin syn,fin-j DROP
# #限制对内部封包的发送速度
#iptables-A input-f-M limit--limit 100/s--limit-burst 100-j ACCEPT
# #限制建立联机的转
#iptables-A forward-f-M limit--limit 100/s--limit-burst 100-j ACCEPT
A nice firewall code.
#####################################################
-A input-f-m limit--limit 100/sec--limit-burst 100-j ACCEPT
-A input-p tcp-m tcp--tcp-flags syn,rst,ack syn-m limit--limit 20/sec--limit-burst 200-j
ACCEPT
-A input-p udp-m UDP--dport 138-j DROP
-A input-p udp-m UDP--dport 137-j DROP
-A input-p tcp-m tcp--dport 1068-j DROP
-A input-p icmp-m limit--limit 12/min--limit-burst 2-j DROP
-A forward-f-m limit--limit 100/sec--limit-burst 100-j ACCEPT
-A forward-p tcp-m tcp--tcp-flags syn,rst,ack syn-m limit--limit 20/sec--limit-burst 200
-j ACCEPT
-A forward-p tcp-m tcp--dport 445-j DROP
-A forward-p udp-m UDP--dport 138-j DROP
-A forward-p udp-m UDP--dport 137-j DROP
-A forward-p tcp-m tcp--dport 1068-j DROP
-A forward-p tcp-m tcp--dport 5554-j DROP
-A forward-p icmp-j DROP
:P rerouting ACCEPT [986,908:53,126,959]
:P ostrouting ACCEPT [31,401:2,008,714]
: OUTPUT ACCEPT [30,070:1,952,143]
-A postrouting-p tcp-m tcp--dport 445-j DROP
#####################################################
Iptables Firewall Example
#!/bin/bash
#
# The interface that connect Internet
# echo
echo "Enable IP forwarding ..."
Echo 1 >/proc/sys/net/ipv4/ip_forward
echo "Starting iptables rules ..."
Iface= "Eth0"
# include module
Modprobe Ip_tables
Modprobe Iptable_nat
Modprobe ip_nat_ftp
Modprobe Ip_nat_irc
Modprobe Ip_conntrack
Modprobe ip_conntrack_ftp
Modprobe Ip_conntrack_irc
Modprobe Ipt_masquerade
# init
/sbin/iptables-f
/sbin/iptables-x
/sbin/iptables-z
/sbin/iptables-f-T NAT
/sbin/iptables-x-T NAT
/sbin/iptables-z-T NAT
/sbin/iptables-x-T Mangle
# drop All
/sbin/iptables-p INPUT DROP
/sbin/iptables-p FORWARD ACCEPT
/sbin/iptables-p OUTPUT ACCEPT
/sbin/iptables-t nat-p prerouting ACCEPT
/sbin/iptables-t nat-p postrouting ACCEPT
/sbin/iptables-t nat-p OUTPUT ACCEPT
/sbin/iptables-a input-f-M limit--limit 100/sec--limit-burst 100-j ACCEPT
/sbin/iptables-a input-p tcp-m tcp--tcp-flags syn,rst,ack syn-m limit--limit--
Limit-burst 200-j ACCEPT
/sbin/iptables-a input-p icmp-m limit--limit 12/min--limit-burst 2-j DROP
/sbin/iptables-a forward-f-M limit--limit 100/sec--limit-burst 100-j ACCEPT
/sbin/iptables-a forward-p tcp-m tcp--tcp-flags syn,rst,ack syn-m limit--limit--
Limit-burst 200-j ACCEPT
# Open Ports
/sbin/iptables-a input-i $IFACE-P TCP--dport 21-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 22-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 25-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 53-j ACCEPT
/sbin/iptables-a input-i $IFACE-p UDP--dport 53-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 80-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 100-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 113-j ACCEPT
# Close Ports
Iptables-i input-p UDP--dport 69-j DROP
Iptables-i input-p TCP--dport 135-j DROP
Iptables-i input-p UDP--dport 135-j DROP
Iptables-i input-p TCP--dport 136-j DROP
Iptables-i input-p UDP--dport 136-j DROP
Iptables-i input-p TCP--dport 137-j DROP
Iptables-i input-p UDP--dport 137-j DROP
Iptables-i input-p TCP--dport 138-j DROP
Iptables-i input-p UDP--dport 138-j DROP
Iptables-i input-p TCP--dport 139-j DROP
Iptables-i input-p UDP--dport 139-j DROP
Iptables-i input-p TCP--dport 445-j DROP
Iptables-i input-p UDP--dport 445-j DROP
Iptables-i input-p TCP--dport 593-j DROP
Iptables-i input-p UDP--dport 593-j DROP
Iptables-i input-p TCP--dport 1068-j DROP
Iptables-i input-p UDP--dport 1068-j DROP
Iptables-i input-p TCP--dport 4444-j DROP
Iptables-i input-p UDP--dport 4444-j DROP
Iptables-i input-p TCP--dport 5554-j DROP
Iptables-i input-p TCP--dport 1434-j DROP
Iptables-i input-p UDP--dport 1434-j DROP
Iptables-i input-p TCP--dport 2500-j DROP
Iptables-i input-p TCP--dport 5800-j DROP
Iptables-i input-p TCP--dport 5900-j DROP
Iptables-i input-p TCP--dport 6346-j DROP
Iptables-i input-p TCP--dport 6667-j DROP
Iptables-i input-p TCP--dport 9393-j DROP
Iptables-i forward-p UDP--dport 69-j DROP
Iptables-i forward-p TCP--dport 135-j DROP
Iptables-i forward-p UDP--dport 135-j DROP
Iptables-i forward-p TCP--dport 136-j DROP
Iptables-i forward-p UDP--dport 136-j DROP
Iptables-i forward-p TCP--dport 137-j DROP
Iptables-i forward-p UDP--dport 137-j DROP
Iptables-i forward-p TCP--dport 138-j DROP
Iptables-i forward-p UDP--dport 138-j DROP
Iptables-i forward-p TCP--dport 139-j DROP
Iptables-i forward-p UDP--dport 139-j DROP
Iptables-i forward-p TCP--dport 445-j DROP
Iptables-i forward-p UDP--dport 445-j DROP
Iptables-i forward-p TCP--dport 593-j DROP
Iptables-i forward-p UDP--dport 593-j DROP
Iptables-i forward-p TCP--dport 1068-j DROP
Iptables-i forward-p UDP--dport 1068-j DROP
Iptables-i forward-p TCP--dport 4444-j DROP
Iptables-i forward-p UDP--dport 4444-j DROP
Iptables-i forward-p TCP--dport 5554-j DROP
Iptables-i forward-p TCP--dport 1434-j DROP
Iptables-i forward-p UDP--dport 1434-j DROP
Iptables-i forward-p TCP--dport 2500-j DROP
Iptables-i forward-p TCP--dport 5800-j DROP
Iptables-i forward-p TCP--dport 5900-j DROP
Iptables-i forward-p TCP--dport 6346-j DROP
Iptables-i forward-p TCP--dport 6667-j DROP
Iptables-i forward-p TCP--dport 9393-j DROP
/sbin/iptables-a input-i $IFACE-M state--state Related,established-j ACCEPT
/sbin/iptables-a input-i $IFACE-M state--state New,invalid-j DROP
# Drop Ping
/sbin/iptables-a input-p icmp-j DROP
/sbin/iptables-i input-s 222.182.40.241-j DROP