Linux uses iptables to prevent Ddocs and CC attacks from being configured.

#防止SYN攻击, lightweight prevention

Iptables-n Syn-flood
Iptables-a input-p tcp–syn-j Syn-flood
Iptables-i syn-flood-p tcp-m limit–limit 3/s–limit-burst 6-j RETURN
Iptables-a syn-flood-j REJECT

#防止DOS太多连接进来, you can allow up to 15 initial connections per IP for an external network card, over the discarded

Iptables-a input-i eth0-p tcp–syn-m connlimit–connlimit-above 15-j DROP
Iptables-a input-p tcp-m state–state established,related-j ACCEPT

#用Iptables缓解DDOS (parameters are the same as above)

Iptables-a input-p tcp--syn-m limit--limit 12/s--limit-burst 24-j ACCEPT
Iptables-a forward-p tcp--syn-m limit--limit 1/s-j ACCEPT

Mitigating CC attacks

When the Apache site is subjected to a severe cc attack, we can use Iptables to prevent the Web server from being attacked by CC and automatically masking the attack IP.

1. System Requirements

(1) LINUX kernel version: 2.6.9-42ELSMP or 2.6.9-55ELSMP (other kernel versions need to recompile the kernel, which is cumbersome, but can also be implemented).
(2) iptables version: 1.3.7

2. Installation

Install kernel modules for iptables1.3.7 and system kernel versions Kernel-smp-modules-connlimit

3. Configure the appropriate iptables rules

Examples are as follows:

(1) Maximum number of concurrent connections that control a single IP
Iptables-i input-p TCP--dport 80-m connlimit--connlimit-above 25-j REJECT #允许单个IP的最大连接数为25个

#早期iptables模块不包含connlimit, you need to compile your own load separately,

(2) control the number of newly established connections in a single IP at a certain time (for example, 60 seconds)

Iptables-a input-p TCP--dport 80-m recent--name bad_http_access--update--seconds the--hitcount 30-j REJECT
Iptables-a input-p TCP--dport 80-m recent--name bad_http_access--set-j ACCEPT

#单个IP在60秒内只允许最多新建30个连接

Real-time view of the number of connections built up by simulated attack clients

Watch ' Netstat-an | grep:21 | grep < attack ip>| Wc-l

To view the number of packets that were killed by the simulated attack client

Watch ' Iptables-l-n-v | grep < attack ip>

Add another article: Configure firewalls to prevent Syn,ddos attacks

[Email protected] ~]# Vim/etc/sysconfig/iptables
Add the following lines to the Iptables
#anti Syn,ddos
-A Forward-p TCP--syn-m limit--limit 1/s--limit-burst 5-j ACCEPT
-A Forward-p TCP--tcp-flags syn,ack,fin,rst rst-m limit--limit 1/s-j ACCEPT
-A forward-p ICMP--icmp-type echo-request-m limit--limit 1/s-j ACCEPT
Description
First line: Allow up to 5 new connections per second
Second line: Prevent various port scans
Third line: Ping flood attack (ping of Death)
Can be adjusted or closed as needed
Restarting the firewall
[Email protected] ~]#/etc/init.d/iptables restart
Block an IP
# iptables-i Input-s 192.168.0.1-j DROP

How to prevent others ping me??
# iptables-a Input-p icmp-j DROP
Prevent sync packet flooding (sync Flood)
# iptables-a forward-p tcp--syn-m limit--limit 1/s-j ACCEPT
Prevent various port scans
# iptables-a forward-p tcp--tcp-flags syn,ack,fin,rst rst-m limit--limit 1/s-j ACCEPT
Ping flood attack (ping of Death)
#iptables-A forward-p ICMP--icmp-type echo-request-m limit--limit 1/s-j ACCEPT

# NMAP FIN/URG/PSH
# iptables-a input-i eth0-p tcp--tcp-flags all fin,urg,psh-j DROP

# Xmas Tree
Iptables-a input-i eth0-p tcp--tcp-flags all all-j DROP

# another Xmas Tree
# iptables-a input-i eth0-p tcp--tcp-flags all syn,rst,ack,fin,urg-j DROP

# Null Scan (possibly)
Iptables-a input-i eth0-p tcp--tcp-flags all none-j DROP

# Syn/rst
# iptables-a input-i eth0-p tcp--tcp-flags syn,rst syn,rst-j DROP

# Syn/fin--Scan (possibly)
# iptables-a input-i eth0-p tcp--tcp-flags syn,fin syn,fin-j DROP
# #限制对内部封包的发送速度
#iptables-A input-f-M limit--limit 100/s--limit-burst 100-j ACCEPT

# #限制建立联机的转
#iptables-A forward-f-M limit--limit 100/s--limit-burst 100-j ACCEPT

A nice firewall code
#####################################################

-A input-f-m limit--limit 100/sec--limit-burst 100-j ACCEPT

-A input-p tcp-m tcp--tcp-flags syn,rst,ack syn-m limit--limit 20/sec--limit-burst 200-j

ACCEPT

-A input-p udp-m UDP--dport 138-j DROP

-A input-p udp-m UDP--dport 137-j DROP

-A input-p tcp-m tcp--dport 1068-j DROP

-A input-p icmp-m limit--limit 12/min--limit-burst 2-j DROP

-A forward-f-m limit--limit 100/sec--limit-burst 100-j ACCEPT

-A forward-p tcp-m tcp--tcp-flags syn,rst,ack syn-m limit--limit 20/sec--limit-burst 200

-j ACCEPT

-A forward-p tcp-m tcp--dport 445-j DROP

-A forward-p udp-m UDP--dport 138-j DROP

-A forward-p udp-m UDP--dport 137-j DROP

-A forward-p tcp-m tcp--dport 1068-j DROP

-A forward-p tcp-m tcp--dport 5554-j DROP

-A forward-p icmp-j DROP

:P rerouting ACCEPT [986,908:53,126,959]

:P ostrouting ACCEPT [31,401:2,008,714]

: OUTPUT ACCEPT [30,070:1,952,143]

-A postrouting-p tcp-m tcp--dport 445-j DROP

#####################################################

Iptables Firewall Example

#!/bin/bash
#
# The interface that connect Internet

# echo
echo "Enable IP Forwarding ..."
Echo 1 >/proc/sys/net/ipv4/ip_forward
echo "Starting iptables rules ..."

Iface= "Eth0"

# include module
Modprobe Ip_tables
Modprobe Iptable_nat
Modprobe ip_nat_ftp
Modprobe Ip_nat_irc
Modprobe Ip_conntrack
Modprobe ip_conntrack_ftp
Modprobe Ip_conntrack_irc
Modprobe Ipt_masquerade

# init
/sbin/iptables-f
/sbin/iptables-x
/sbin/iptables-z
/sbin/iptables-f-T NAT
/sbin/iptables-x-T NAT
/sbin/iptables-z-T NAT

/sbin/iptables-x-T Mangle

# drop All
/sbin/iptables-p INPUT DROP
/sbin/iptables-p FORWARD ACCEPT
/sbin/iptables-p OUTPUT ACCEPT
/sbin/iptables-t nat-p prerouting ACCEPT
/sbin/iptables-t nat-p postrouting ACCEPT
/sbin/iptables-t nat-p OUTPUT ACCEPT

/sbin/iptables-a input-f-M limit--limit 100/sec--limit-burst 100-j ACCEPT
/sbin/iptables-a input-p tcp-m tcp--tcp-flags syn,rst,ack syn-m limit--limit 20/sec--

Limit-burst 200-j ACCEPT

/sbin/iptables-a input-p icmp-m limit--limit 12/min--limit-burst 2-j DROP

/sbin/iptables-a forward-f-M limit--limit 100/sec--limit-burst 100-j ACCEPT
/sbin/iptables-a forward-p tcp-m tcp--tcp-flags syn,rst,ack syn-m limit--limit 20/sec--

Limit-burst 200-j ACCEPT

# Open Ports
/sbin/iptables-a input-i $IFACE-P TCP--dport 21-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 22-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 25-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 53-j ACCEPT
/sbin/iptables-a input-i $IFACE-p UDP--dport 53-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 80-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 100-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 113-j ACCEPT

# Close Ports
Iptables-i input-p UDP--dport 69-j DROP
Iptables-i input-p TCP--dport 135-j DROP
Iptables-i input-p UDP--dport 135-j DROP
Iptables-i input-p TCP--dport 136-j DROP
Iptables-i input-p UDP--dport 136-j DROP
Iptables-i input-p TCP--dport 137-j DROP
Iptables-i input-p UDP--dport 137-j DROP
Iptables-i input-p TCP--dport 138-j DROP
Iptables-i input-p UDP--dport 138-j DROP
Iptables-i input-p TCP--dport 139-j DROP
Iptables-i input-p UDP--dport 139-j DROP
Iptables-i input-p TCP--dport 445-j DROP
Iptables-i input-p UDP--dport 445-j DROP
Iptables-i input-p TCP--dport 593-j DROP
Iptables-i input-p UDP--dport 593-j DROP
Iptables-i input-p TCP--dport 1068-j DROP
Iptables-i input-p UDP--dport 1068-j DROP
Iptables-i input-p TCP--dport 4444-j DROP
Iptables-i input-p UDP--dport 4444-j DROP
Iptables-i input-p TCP--dport 5554-j DROP
Iptables-i input-p TCP--dport 1434-j DROP
Iptables-i input-p UDP--dport 1434-j DROP
Iptables-i input-p TCP--dport 2500-j DROP
Iptables-i input-p TCP--dport 5800-j DROP
Iptables-i input-p TCP--dport 5900-j DROP
Iptables-i input-p TCP--dport 6346-j DROP
Iptables-i input-p TCP--dport 6667-j DROP
Iptables-i input-p TCP--dport 9393-j DROP

Iptables-i forward-p UDP--dport 69-j DROP
Iptables-i forward-p TCP--dport 135-j DROP
Iptables-i forward-p UDP--dport 135-j DROP
Iptables-i forward-p TCP--dport 136-j DROP
Iptables-i forward-p UDP--dport 136-j DROP
Iptables-i forward-p TCP--dport 137-j DROP
Iptables-i forward-p UDP--dport 137-j DROP
Iptables-i forward-p TCP--dport 138-j DROP
Iptables-i forward-p UDP--dport 138-j DROP
Iptables-i forward-p TCP--dport 139-j DROP
Iptables-i forward-p UDP--dport 139-j DROP
Iptables-i forward-p TCP--dport 445-j DROP
Iptables-i forward-p UDP--dport 445-j DROP
Iptables-i forward-p TCP--dport 593-j DROP
Iptables-i forward-p UDP--dport 593-j DROP
Iptables-i forward-p TCP--dport 1068-j DROP
Iptables-i forward-p UDP--dport 1068-j DROP
Iptables-i forward-p TCP--dport 4444-j DROP
Iptables-i forward-p UDP--dport 4444-j DROP
Iptables-i forward-p TCP--dport 5554-j DROP
Iptables-i forward-p TCP--dport 1434-j DROP
Iptables-i forward-p UDP--dport 1434-j DROP
Iptables-i forward-p TCP--dport 2500-j DROP
Iptables-i forward-p TCP--dport 5800-j DROP
Iptables-i forward-p TCP--dport 5900-j DROP
Iptables-i forward-p TCP--dport 6346-j DROP
Iptables-i forward-p TCP--dport 6667-j DROP
Iptables-i forward-p TCP--dport 9393-j DROP

/sbin/iptables-a input-i $IFACE-M state--state Related,established-j ACCEPT
/sbin/iptables-a input-i $IFACE-M state--state New,invalid-j DROP

# Drop Ping
/sbin/iptables-a input-p icmp-j DROP

/sbin/iptables-i input-s 222.182.40.241-j DROP

Http://www.111cn.net/sys/linux/74503.htm Previous page:Nagios pnp4nagios Graphics monitoring MySQL in Linux Next page:Linux prohibits access to an IP address in several ways related content

• Example of saving iptables firewall rules in 2014.12.11Ubuntu
• 2014.11.05linux shadowsocks using iptables random multiport
• 2014.10.31linux iptables firewall hijacking and intercepting DNS queries 53 port for steering
• 2014.06.21CentOS iptables Firewall Open 80 Port method
• 2014.05.15Centos iptables block IP segment Access website
• 2014.05.14Centos 6.4 iptables Firewall off start
• 2014.05.01shell Monitor Iptables rules change
• 2014.04.20linux shell command monitors whether the iptables is running
• 2014.04.18ubuntu (Linux) iptables firewall configuration detailed
• 2014.03.04iptables Delete Specifies a rule

Linux uses iptables to prevent Ddocs and CC attacks from being configured.