Linux uses iptables to prevent Ddocs and CC attacks from being configured.

Source: Internet
Author: User
Tags ack

#防止SYN攻击, lightweight prevention

Iptables-n Syn-flood
Iptables-a input-p tcp–syn-j Syn-flood
Iptables-i syn-flood-p tcp-m limit–limit 3/s–limit-burst 6-j RETURN
Iptables-a syn-flood-j REJECT

#防止DOS太多连接进来, you can allow up to 15 initial connections per IP for an external network card, over the discarded

Iptables-a input-i eth0-p tcp–syn-m connlimit–connlimit-above 15-j DROP
Iptables-a input-p tcp-m state–state established,related-j ACCEPT

#用Iptables缓解DDOS (parameters are the same as above)

Iptables-a input-p tcp--syn-m limit--limit 12/s--limit-burst 24-j ACCEPT
Iptables-a forward-p tcp--syn-m limit--limit 1/s-j ACCEPT

Mitigating CC attacks

When the Apache site is subjected to a severe cc attack, we can use Iptables to prevent the Web server from being attacked by CC and automatically masking the attack IP.

1. System Requirements

(1) LINUX kernel version: 2.6.9-42ELSMP or 2.6.9-55ELSMP (other kernel versions need to recompile the kernel, which is cumbersome, but can also be implemented).
(2) iptables version: 1.3.7

2. Installation

Install kernel modules for iptables1.3.7 and system kernel versions Kernel-smp-modules-connlimit

3. Configure the appropriate iptables rules

Examples are as follows:

(1) Maximum number of concurrent connections that control a single IP
Iptables-i input-p TCP--dport 80-m connlimit--connlimit-above 25-j REJECT #允许单个IP的最大连接数为25个

#早期iptables模块不包含connlimit, you need to compile your own load separately,

(2) control the number of newly established connections in a single IP at a certain time (for example, 60 seconds)

Iptables-a input-p TCP--dport 80-m recent--name bad_http_access--update--seconds the--hitcount 30-j REJECT
Iptables-a input-p TCP--dport 80-m recent--name bad_http_access--set-j ACCEPT

#单个IP在60秒内只允许最多新建30个连接

Real-time view of the number of connections built up by simulated attack clients

Watch ' Netstat-an | grep:21 | grep < attack ip>| Wc-l

To view the number of packets that were killed by the simulated attack client

Watch ' Iptables-l-n-v | grep < attack ip>

Add another article: Configure firewalls to prevent Syn,ddos attacks


[Email protected] ~]# Vim/etc/sysconfig/iptables
Add the following lines to the Iptables
#anti Syn,ddos
-A Forward-p TCP--syn-m limit--limit 1/s--limit-burst 5-j ACCEPT
-A Forward-p TCP--tcp-flags syn,ack,fin,rst rst-m limit--limit 1/s-j ACCEPT
-A forward-p ICMP--icmp-type echo-request-m limit--limit 1/s-j ACCEPT
Description
First line: Allow up to 5 new connections per second
Second line: Prevent various port scans
Third line: Ping flood attack (ping of Death)
Can be adjusted or closed as needed
Restarting the firewall
[Email protected] ~]#/etc/init.d/iptables restart
Block an IP
# iptables-i Input-s 192.168.0.1-j DROP

How to prevent others ping me??
# iptables-a Input-p icmp-j DROP
Prevent sync packet flooding (sync Flood)
# iptables-a forward-p tcp--syn-m limit--limit 1/s-j ACCEPT
Prevent various port scans
# iptables-a forward-p tcp--tcp-flags syn,ack,fin,rst rst-m limit--limit 1/s-j ACCEPT
Ping flood attack (ping of Death)
#iptables-A forward-p ICMP--icmp-type echo-request-m limit--limit 1/s-j ACCEPT

# NMAP FIN/URG/PSH
# iptables-a input-i eth0-p tcp--tcp-flags all fin,urg,psh-j DROP

# Xmas Tree
Iptables-a input-i eth0-p tcp--tcp-flags all all-j DROP

# another Xmas Tree
# iptables-a input-i eth0-p tcp--tcp-flags all syn,rst,ack,fin,urg-j DROP

# Null Scan (possibly)
Iptables-a input-i eth0-p tcp--tcp-flags all none-j DROP

# Syn/rst
# iptables-a input-i eth0-p tcp--tcp-flags syn,rst syn,rst-j DROP

# Syn/fin--Scan (possibly)
# iptables-a input-i eth0-p tcp--tcp-flags syn,fin syn,fin-j DROP
# #限制对内部封包的发送速度
#iptables-A input-f-M limit--limit 100/s--limit-burst 100-j ACCEPT

# #限制建立联机的转
#iptables-A forward-f-M limit--limit 100/s--limit-burst 100-j ACCEPT

A nice firewall code
#####################################################

-A input-f-m limit--limit 100/sec--limit-burst 100-j ACCEPT

-A input-p tcp-m tcp--tcp-flags syn,rst,ack syn-m limit--limit 20/sec--limit-burst 200-j

ACCEPT

-A input-p udp-m UDP--dport 138-j DROP

-A input-p udp-m UDP--dport 137-j DROP

-A input-p tcp-m tcp--dport 1068-j DROP

-A input-p icmp-m limit--limit 12/min--limit-burst 2-j DROP

-A forward-f-m limit--limit 100/sec--limit-burst 100-j ACCEPT

-A forward-p tcp-m tcp--tcp-flags syn,rst,ack syn-m limit--limit 20/sec--limit-burst 200

-j ACCEPT

-A forward-p tcp-m tcp--dport 445-j DROP

-A forward-p udp-m UDP--dport 138-j DROP

-A forward-p udp-m UDP--dport 137-j DROP

-A forward-p tcp-m tcp--dport 1068-j DROP

-A forward-p tcp-m tcp--dport 5554-j DROP

-A forward-p icmp-j DROP

:P rerouting ACCEPT [986,908:53,126,959]

:P ostrouting ACCEPT [31,401:2,008,714]

: OUTPUT ACCEPT [30,070:1,952,143]

-A postrouting-p tcp-m tcp--dport 445-j DROP

#####################################################

Iptables Firewall Example

#!/bin/bash
#
# The interface that connect Internet

# echo
echo "Enable IP Forwarding ..."
Echo 1 >/proc/sys/net/ipv4/ip_forward
echo "Starting iptables rules ..."

Iface= "Eth0"

# include module
Modprobe Ip_tables
Modprobe Iptable_nat
Modprobe ip_nat_ftp
Modprobe Ip_nat_irc
Modprobe Ip_conntrack
Modprobe ip_conntrack_ftp
Modprobe Ip_conntrack_irc
Modprobe Ipt_masquerade


# init
/sbin/iptables-f
/sbin/iptables-x
/sbin/iptables-z
/sbin/iptables-f-T NAT
/sbin/iptables-x-T NAT
/sbin/iptables-z-T NAT

/sbin/iptables-x-T Mangle

# drop All
/sbin/iptables-p INPUT DROP
/sbin/iptables-p FORWARD ACCEPT
/sbin/iptables-p OUTPUT ACCEPT
/sbin/iptables-t nat-p prerouting ACCEPT
/sbin/iptables-t nat-p postrouting ACCEPT
/sbin/iptables-t nat-p OUTPUT ACCEPT


/sbin/iptables-a input-f-M limit--limit 100/sec--limit-burst 100-j ACCEPT
/sbin/iptables-a input-p tcp-m tcp--tcp-flags syn,rst,ack syn-m limit--limit 20/sec--

Limit-burst 200-j ACCEPT

/sbin/iptables-a input-p icmp-m limit--limit 12/min--limit-burst 2-j DROP

/sbin/iptables-a forward-f-M limit--limit 100/sec--limit-burst 100-j ACCEPT
/sbin/iptables-a forward-p tcp-m tcp--tcp-flags syn,rst,ack syn-m limit--limit 20/sec--

Limit-burst 200-j ACCEPT


# Open Ports
/sbin/iptables-a input-i $IFACE-P TCP--dport 21-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 22-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 25-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 53-j ACCEPT
/sbin/iptables-a input-i $IFACE-p UDP--dport 53-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 80-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 100-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 113-j ACCEPT


# Close Ports
Iptables-i input-p UDP--dport 69-j DROP
Iptables-i input-p TCP--dport 135-j DROP
Iptables-i input-p UDP--dport 135-j DROP
Iptables-i input-p TCP--dport 136-j DROP
Iptables-i input-p UDP--dport 136-j DROP
Iptables-i input-p TCP--dport 137-j DROP
Iptables-i input-p UDP--dport 137-j DROP
Iptables-i input-p TCP--dport 138-j DROP
Iptables-i input-p UDP--dport 138-j DROP
Iptables-i input-p TCP--dport 139-j DROP
Iptables-i input-p UDP--dport 139-j DROP
Iptables-i input-p TCP--dport 445-j DROP
Iptables-i input-p UDP--dport 445-j DROP
Iptables-i input-p TCP--dport 593-j DROP
Iptables-i input-p UDP--dport 593-j DROP
Iptables-i input-p TCP--dport 1068-j DROP
Iptables-i input-p UDP--dport 1068-j DROP
Iptables-i input-p TCP--dport 4444-j DROP
Iptables-i input-p UDP--dport 4444-j DROP
Iptables-i input-p TCP--dport 5554-j DROP
Iptables-i input-p TCP--dport 1434-j DROP
Iptables-i input-p UDP--dport 1434-j DROP
Iptables-i input-p TCP--dport 2500-j DROP
Iptables-i input-p TCP--dport 5800-j DROP
Iptables-i input-p TCP--dport 5900-j DROP
Iptables-i input-p TCP--dport 6346-j DROP
Iptables-i input-p TCP--dport 6667-j DROP
Iptables-i input-p TCP--dport 9393-j DROP

Iptables-i forward-p UDP--dport 69-j DROP
Iptables-i forward-p TCP--dport 135-j DROP
Iptables-i forward-p UDP--dport 135-j DROP
Iptables-i forward-p TCP--dport 136-j DROP
Iptables-i forward-p UDP--dport 136-j DROP
Iptables-i forward-p TCP--dport 137-j DROP
Iptables-i forward-p UDP--dport 137-j DROP
Iptables-i forward-p TCP--dport 138-j DROP
Iptables-i forward-p UDP--dport 138-j DROP
Iptables-i forward-p TCP--dport 139-j DROP
Iptables-i forward-p UDP--dport 139-j DROP
Iptables-i forward-p TCP--dport 445-j DROP
Iptables-i forward-p UDP--dport 445-j DROP
Iptables-i forward-p TCP--dport 593-j DROP
Iptables-i forward-p UDP--dport 593-j DROP
Iptables-i forward-p TCP--dport 1068-j DROP
Iptables-i forward-p UDP--dport 1068-j DROP
Iptables-i forward-p TCP--dport 4444-j DROP
Iptables-i forward-p UDP--dport 4444-j DROP
Iptables-i forward-p TCP--dport 5554-j DROP
Iptables-i forward-p TCP--dport 1434-j DROP
Iptables-i forward-p UDP--dport 1434-j DROP
Iptables-i forward-p TCP--dport 2500-j DROP
Iptables-i forward-p TCP--dport 5800-j DROP
Iptables-i forward-p TCP--dport 5900-j DROP
Iptables-i forward-p TCP--dport 6346-j DROP
Iptables-i forward-p TCP--dport 6667-j DROP
Iptables-i forward-p TCP--dport 9393-j DROP

/sbin/iptables-a input-i $IFACE-M state--state Related,established-j ACCEPT
/sbin/iptables-a input-i $IFACE-M state--state New,invalid-j DROP


# Drop Ping
/sbin/iptables-a input-p icmp-j DROP

/sbin/iptables-i input-s 222.182.40.241-j DROP

Http://www.111cn.net/sys/linux/74503.htm Previous page:Nagios pnp4nagios Graphics monitoring MySQL in Linux Next page:Linux prohibits access to an IP address in several ways related content
    • Example of saving iptables firewall rules in 2014.12.11Ubuntu
    • 2014.11.05linux shadowsocks using iptables random multiport
    • 2014.10.31linux iptables firewall hijacking and intercepting DNS queries 53 port for steering
    • 2014.06.21CentOS iptables Firewall Open 80 Port method
    • 2014.05.15Centos iptables block IP segment Access website
    • 2014.05.14Centos 6.4 iptables Firewall off start
    • 2014.05.01shell Monitor Iptables rules change
    • 2014.04.20linux shell command monitors whether the iptables is running
    • 2014.04.18ubuntu (Linux) iptables firewall configuration detailed
    • 2014.03.04iptables Delete Specifies a rule

Linux uses iptables to prevent Ddocs and CC attacks from being configured.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.