2. 科技
  3. iptable防范ddos攻击

iptable防范ddos攻击

it2022-05-05  154
iptable防范ddos攻击

Basic DoS Protection https://github.com/MPOS/php-mpos/wiki/Basic-DoS-Protection

# Rule 1: Limit New Connections To Something Sane. iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT # Rule 2: Limit Existing Connections To Something Sane. iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT # Rule 3: Wow Lets Just Drop Anything We Don't Like The Look Of iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP # Rule 4: Come In Or Go away, Don't Knock On My Door. iptables -N PORT_SCANNING iptables -A PORT_SCANNING -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN iptables -A PORT_SCANNING -j DROP # Rule 5: For You LAND Lovers Argghh!(Local Area Network Denial) iptables -A INPUT -s YOURSERVERIP/32 -j DROP # Rule 6: Ho-Ho-Ho, Wait.. Its Not Christmas.. (XMAS Packets) iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP # Rule 7: OMG The Servers Seeing Blue (Smurf Attacks) iptables -A INPUT -p icmp -m limit --limit 2/second --limit-burst 2 -j ACCEPT or iptables -A INPUT -p icmp -j DROP # Rule 8: The More Advanced SYN Filter (Mod of top rule) iptables -A INPUT -p tcp -m state --state NEW -m limit --limit 2/second --limit-burst 2 -j ACCEPT or iptables -D INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT # Rule 9: NO UDP EXCEPT DNS - UDP CAN GO CLIMB A TREE iptables -A INPUT -p udp --sport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A OUTPUT -p udp --sport 53 -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p udp -j DROP iptables -A OUTPUT -p udp -j DROP

TL;DR I Just Want To Copy And Paste.

iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP iptables -A PORT_SCANNING -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN iptables -A PORT-SCANNING -j DROP posted on 2014-10-29 14:22 北京涛子 阅读( ...) 评论( ...) 编辑 收藏

转载于:https://www.cnblogs.com/liujitao79/p/4059417.html

专利

最新回复(0)