Categories

Affiliate Accounts
3
Billing
3
Dedicated Servers
56
Domain Registration
2
Proxy Servers
1
Technical Support
2
VPS Server
0
Web Hosting
2

  Categories

  Tag Cloud

Change SWIP ip Space Changing Blocks Justification Additional Addresses Dedicated Servers Accessing First Time OS CentOS Ubuntu Debian Setting Virtual Machines VM VPS Automating FTP Backups Linux Windows Server FAQ Managing Storage Unlimited Bandwidth SSH Port command Default Disable Recursive DNS SSDP Enable configuration basic firewall settings Securing NTP SNMP IPTables DDoS Protection Temporary KVM Access Notifications Reverse rDNS Control Panel Reset Root Password Name IPv6 Installing Drives Larger Than 2 TB user Browsing Internet Connect Remotely RDP Product Key Hyper-V AMD Opteron Nomodeset bootloader Intel Core Core i5 3550 Core i5 4570 Core i7 3770 Xeon Xeon E3 1245 V2 Reformat Reload Operating System Troubleshooting Network Speeds Upload Download Reporting Packet Loss Issues Referral Payment Amount Browser Caching cPanel Apache htaccess proxy SS5 Socks5 SS5 Socks5 Proxy server Can’t unlink pid file

  Support

My Support Tickets
Announcements
Knowledgebase
Downloads
Network Status
Open Ticket

IPTables Configuration for DDoS Protection Print

  • IPTables, configuration, DDoS, Protection
  • 0

​The following IPTables configuration will assist with traffic that the DDoS filters cannot fully mitigate.

 Note: These are a generic ruleset and should be expanded further to suit your specific application.

### IP Tables DDOS Protection Rules ###

### 1: Drop invalid packets ###
/sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP

### 2: Drop TCP packets that are new and are not SYN ###
/sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

### 3: Drop SYN packets with suspicious MSS value ###
/sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP

### 4: Block packets with bogus TCP flags ###
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

### 5: Block spoofed packets ###
/sbin/iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP

### 6: Drop ICMP/Ping (you usually don't need this protocol) ###
/sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP

### 7: Drop fragments in all chains ###
/sbin/iptables -t mangle -A PREROUTING -f -j DROP

### 8: Limit connections per source IP ###
/sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset

### 9: Limit RST packets ###
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP

### 10: Limit new TCP connections per second per source IP ###
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP

### 11: Use SYNPROXY on all ports (disables connection limiting rule) ###
#/sbin/iptables -t raw -D PREROUTING -p tcp -m tcp --syn -j CT --notrack
#/sbin/iptables -D INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
#/sbin/iptables -D INPUT -m conntrack --ctstate INVALID -j DROP

### SSH brute-force protection ###
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP

### Protection against port scanning ###
/sbin/iptables -N port-scanning
/sbin/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
/sbin/iptables -A port-scanning -j DROP

Was this answer helpful?

Related Articles

DDoS Protection FAQ Q. How much protection is included with each server? A. Each dedicated server includes is...
« Back

  Tag Cloud

Change SWIP ip Space Changing Blocks Justification Additional Addresses Dedicated Servers Accessing First Time OS CentOS Ubuntu Debian Setting Virtual Machines VM VPS Automating FTP Backups Linux Windows Server FAQ Managing Storage Unlimited Bandwidth SSH Port command Default Disable Recursive DNS SSDP Enable configuration basic firewall settings Securing NTP SNMP IPTables DDoS Protection Temporary KVM Access Notifications Reverse rDNS Control Panel Reset Root Password Name IPv6 Installing Drives Larger Than 2 TB user Browsing Internet Connect Remotely RDP Product Key Hyper-V AMD Opteron Nomodeset bootloader Intel Core Core i5 3550 Core i5 4570 Core i7 3770 Xeon Xeon E3 1245 V2 Reformat Reload Operating System Troubleshooting Network Speeds Upload Download Reporting Packet Loss Issues Referral Payment Amount Browser Caching cPanel Apache htaccess proxy SS5 Socks5 SS5 Socks5 Proxy server Can’t unlink pid file

  Support

My Support Tickets
Announcements
Knowledgebase
Downloads
Network Status
Open Ticket