Help with Iptables configuration protect from ddos
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
But its lose my connection from 80ports,putty shh 22port, ftp 21, 7777,9016... . I do vps restart and defoult iptables come back but i wana set protection.
So maybe someone can help me create .sh file?
1ip can only
to 7777, (3connect at 1time) if 1ip connect more when 3times he get DROP.
9016, (3connect at 1time) if 1ip connect more when 3times he get DROP.
80 . (3connect at 1time) if 1ip connect more when 3times he get DROP.
And unblock port 22, 21 , phpmyadmin defoult port.
Click here to see the post LQ members have rated as the most helpful post in this thread.
Hi, i have lineage2 game server on debian 5. I try set protection anti ddos with iptables (..) But its lose my connection from 80ports,putty shh 22port, ftp 21, 7777,9016... . I do vps restart and defoult iptables come back but i wana set protection. (..) And unblock port 22, 21 , phpmyadmin defoult port.
Because your rule set is a mess this may be the reason you lost connectivity (check systems logs?) and some rules just don't make sense. Next to that some ports should not be publicly accessible, especially on a game server, and for /phpmyadmin you should minimally set restrictions in your web servers configuration file. Here's the rule file with comments:
Code:
#!/bin/sh
IPT=/sbin/iptables
# Missing / malformed (depending) policy below. If this is a restricted access server with only authorized
# services running at all times then you want to keep the DROP policy on the INPUT chain, else create ACCEPT
# rules and finish with a REJECT rule. Missing FORWARD chain policy.
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Bad rule below: (use loopback) and not necessary (loopback accept).
# $IPT -A INPUT -i eth0 -p tcp --dport 3306 -j ACCEPT -s 127.0.0.1
# Bad rule below if you admin this server (limit access or use fail2ban).
# $IPT -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# Missing rules for bad traffic and traffic in progress:
# $IPT -A INPUT -i eth0 -p tcp --syn -j REJECT --reject-with icmp-port-unreachable
# $IPT -A INPUT -i eth0 -p tcp -m multiport --dport 1024:65535 -j ACCEPT --sports 80,443 ! --syn
$IPT -A INPUT -i eth0 -m state --state INVALID -j REJECT
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Bad / malformed rules below: you shouldn't let your server be a publicly accessible
# FTP/POP/MTA (limit access and or use fail2ban).
# $IPT -A INPUT -p tcp -m tcp -i eth0 --dport 1024:65535 --sport 21 -j ACCEPT ! --syn
# $IPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
# $IPT -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT
# $IPT -A INPUT -p tcp -m tcp -i eth0 --dport 1024:65535 --sport 25 -j ACCEPT
# Unnecessary rules below due to --state ESTABLISHED,RELATED (goes for some ICMP too):
# $IPT -A INPUT -p udp -m udp -i eth0 --dport 1024:65535 --sport 53 -j ACCEPT
# $IPT -A INPUT -p tcp -m tcp -i eth0 --dport 1024:65353 --sport 53 -j ACCEPT
# -m multiport allows you to group ports together:
# $IPT -A INPUT -i eth0 -p tcp --dport 2106 -j ACCEPT
# $IPT -A INPUT -i eth0 -p tcp --dport 7000 -j ACCEPT
# $IPT -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
# $IPT -A INPUT -i eth0 -p tcp --dport 7777 -j DROP
# $IPT -I INPUT -i eth0 -p tcp --dport 9016 -m connlimit --connlimit-above 3 -j DROP
# $IPT -I INPUT -i eth0 -p tcp --dport 7777 -m connlimit --connlimit-above 3 -j DROP
$IPT -A INPUT -i eth0 -p tcp -m multiport 80,2106,7000,7777,9016 -m connlimit --connlimit-above 3 -j DROP
# Bad / malformed rules below: best only accept certain types of ICMP.
# $IPT -A INPUT -p icmp -i eth0 -j ACCEPT
# $IPT -A INPUT -p icmp --icmp-type 8 -s 0/0
$IPT -A OUTPUT -o eth0 -j ACCEPT
and here the result with some limiting added in:
Code:
#!/bin/sh
IPT=/sbin/iptables
$IPT -P INPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A INPUT -i eth0 -m conntrack --ctstate INVALID -m limit --limit 1/minute --limit-burst 3 -j LOG --log-prefix "IN_rej "
$IPT -A INPUT -i eth0 -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log and restrict FTP/SSH access to only your IP address (replace fictive "1.0.1.0"):
$IPT -A INPUT -i eth0 -p tcp -m multiport 20,21,22 -s 1.0.1.0/32 -j LOG --log-prefix "IN_priv "
$IPT -A INPUT -i eth0 -p tcp -m multiport 20,21,22 -s 1.0.1.0/32 -j ACCEPT
# Limit per network: max 3 new (SYN) connection requests per C class.
$IPT -A INPUT -i eth0 -p tcp -m multiport 80,2106,7000,7777,9016 -m connlimit --connlimit-above 3 --connlimit-mask 24 -j REJECT --reject-with tcp-reset
# Limit per IP: 1024 *packets* per second and burst 3072 per remote IP + local --dport:
$IPT -A INPUT -i eth0 -p tcp -m multiport 80,2106,7000,7777,9016 -m hashlimit --hashlimit 1024/s --hashlimit-burst 3072 --hashlimit-mode srcip,dstport --hashlimit-name INPUT -m state --state NEW -j ACCEPT
# Allow some ICMP in:
$IPT -A INPUT -p icmp --icmp-type source-quench -j DROP
$IPT -A INPUT -p icmp --icmp-type redirect -j DROP
$IPT -A INPUT -p icmp --icmp-type network-redirect -j DROP
$IPT -A INPUT -p icmp --icmp-type host-redirect -j DROP
$IPT -A INPUT -p icmp --icmp-type TOS-network-redirect -j DROP
$IPT -A INPUT -p icmp --icmp-type TOS-host-redirect -j DROP
$IPT -A INPUT -p icmp --icmp-type echo-request -j DROP
$IPT -A INPUT -p icmp --icmp-type router-advertisement -j DROP
$IPT -A INPUT -p icmp --icmp-type router-solicitation -j DROP
$IPT -A INPUT -p icmp -j ACCEPT
# Log and drop everything else:
$IPT -A INPUT -m limit --limit 1/minute --limit-burst 3 -j LOG --log-prefix "IN_end "
$IPT -A INPUT -j REJECT --reject-with icmp-host-prohibited
$IPT -A OUTPUT -o eth0 -j ACCEPT
You probably shouldn't try to run these now but work towards understanding them. And restarting your VPS shouldn't be necessary unless you can't get back in and you probably should not overwrite the default rules until you are certain the rules work as you want them to. Finally be aware that true DDoS requires help from upstream as that kind of network problem has no end node solution (OK, except shut down services and sit out the storm).
Thanks you first who help me. Sad but its lose my network connection again and I got drop from putty.
all ports doesnt work
I forgot say what l2 server already have small protection with IPv4
error
Code:
Nov 19 11:15:17 232759 avahi-daemon[20449]: Successfully dropped root privileges.
Nov 19 11:15:17 232759 avahi-daemon[20449]: avahi-daemon 0.6.23 starting up.
Nov 19 11:15:17 232759 avahi-daemon[20449]: Successfully called chroot().
Nov 19 11:15:17 232759 avahi-daemon[20449]: Successfully dropped remaining capabilities.
Nov 19 11:15:17 232759 avahi-daemon[20449]: No service file found in /etc/avahi/services.
Nov 19 11:15:17 232759 avahi-daemon[20449]: socket() failed: Address family not supported by protocol
Nov 19 11:15:17 232759 avahi-daemon[20449]: Failed to create IPv6 socket, proceeding in IPv4 only mode
Nov 19 11:15:17 232759 avahi-daemon[20449]: socket() failed: Address family not supported by protocol
Nov 19 11:15:17 232759 avahi-daemon[20449]: Network interface enumeration completed.
Nov 19 11:15:17 232759 avahi-daemon[20449]: Registering HINFO record with values 'X86_64'/'LINUX'.
Nov 19 11:15:17 232759 avahi-daemon[20449]: Server startup complete. Host name is 232759.local. Local service cookie is 3394660892.
Maybe problem in vps(host)? VPS created on OpenVZ.
Sad but its lose my network connection again and I got drop from putty.
all ports doesnt work
I'm sorry to hear that but maybe we have got a language barrier thing going on here? I told you that you should not implement these rules but study and understand them before applying.
Quote:
Originally Posted by tarciokk
I forgot say what l2 server already have small protection with IPv4
No, this unfortunately has nothing to do with "protection".
Quote:
Originally Posted by tarciokk
Maybe problem in vps(host)? VPS created on OpenVZ.
Indeed OpenVZ displays anomalies when it comes to Netfilter (Host Node access is required to make changes and make them available to the Guest Nodes) but you best first look at the system logs for clues.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.