[BETA]Iptables anti-DDoS rules

**Feofilaktt** · 21.12.2017 17:56

Feofilaktt
hasu++
Offline

From: Brazil
Registered: 07.04.2017
Posts: 368

Topic: [BETA]Iptables anti-DDoS rules

BETA

I am sharing a script with efficient rules against attacks and malicious packages..

it has greatly reduced my problems with server failures(in test)

feel free to contribute or correct the rules...

#!/bin/bash

echo "INITIALIZING FIREWALL"
echo " "

# 0: CLEANING PREVIOUS RULES
iptables -F &&
iptables -t nat -F &&
iptables -t nat -X &&
iptables -t nat -Z &&
iptables -t nat -F POSTROUTING &&
iptables -t nat -F PREROUTING &&
iptables -F INPUT &&
iptables -F OUTPUT &&
iptables -F FORWARD &&
iptables -L &&
echo "OK -> CLEANING PREVIOUS RULES"


# 1: BLOCK INVALID PACKETS
iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP  
echo "OK -> BLOCK INVALID PACKETS"

# 2: DROP TCP PACKETS THAT ARE NEW AND ARE NOT SYN
iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP 
echo "OK -> DROP TCP PACKETS THAT ARE NEW AND ARE NOT SYN"

# 3: DROP SYN PACKETS WITH SUSPICIOUS MSS VALUE
iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP  
echo "OK -> DROP SYN PACKETS WITH SUSPICIOUS MSS VALUE"

# 4: BLOCK PACKETS WITH BOGUS TCP FLAGS
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP  
echo "OK -> BLOCK PACKETS WITH BOGUS TCP FLAGS"

# 5: BLOCK SPOOFED PACKETS
iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP 
iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP 
iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP 
iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP 
iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP 
iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP 
iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP 
iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP 
iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP  
echo "OK -> BLOCK SPOOFED PACKETS"

# 6: LIMIT ICMP PING (you usually don't need this protocol)
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
echo "OK -> LIMIT ICMP PING"

# 7: DROP FRAGMENTS IN ALL CHAINS
iptables -t mangle -A PREROUTING -f -j DROP
echo "OK -> DROP FRAGMENTS IN ALL CHAINS"

# 9: LIMIT RST PACKETS
iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT 
iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP  
echo "OK -> LIMIT RST PACKETS"

# 10: LIMIT NEW TCP CONNECTIONS PER SECOND PER SOURCE IP (6112 and 4000)
iptables -A INPUT -p tcp --dport 4000 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 4000 -m state --state NEW -m recent --update --seconds 1 --hitcount 20 -j DROP
iptables -A INPUT -p tcp --dport 6112 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 6112 -m state --state NEW -m recent --update --seconds 1 --hitcount 20 -j DROP
echo "OK -> LIMIT NEW TCP CONNECTIONS PER SECOND PER SOURCE IP (6112 and 4000)"

# 11: DROP OTHER MALICIOUS PACKAGES
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
echo "OK -> OTHER MALICIOUS PACKAGES"

# 12: KERNEL PROTECTIONS
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo "OK -> KERNEL PROTECTIONS"

# FINISH
echo " "
echo " "
echo "FIREWALL INITIATED"
echo " "
iptables -L

Diablo 2 Online

Itens - Armory - Market - Clans - Builds - Chat

**dvd** · 12.02.2018 23:15

dvd
newbie
Offline

Registered: 12.02.2018
Posts: 1

Re: [BETA]Iptables anti-DDoS rules

What do you meen when you say "malicious packages" .Ddos attacks?

[BETA]Iptables anti-DDoS rules

Posts: 2

1 Topic by Feofilaktt 21.12.2017 17:56 (edited by Feofilaktt 21.12.2017 18:01)

Topic: [BETA]Iptables anti-DDoS rules

2 Reply by dvd 12.02.2018 23:15

Re: [BETA]Iptables anti-DDoS rules

Posts: 2

Who now at forum

Currently view post: 1 guest, 0 registered users