DDoS protection - Using Netfilter/iptables @ DevConf.cz Feb 2014
- Disable TCP loose mode
- Disable TCP forwarding
- Enable SYN cookies
- Enable TCP timestamping
- Use SYNPROXY module (Optional)
/etc/sysctl.conf
net.netfilter.nf_conntrack_tcp_loose = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.ip_forward = 0
- Use the
mangle
table and thePREROUTING
chain
Full iptables configuration: https://gist.github.com/shikendon/5cfd3e1cf2181b884fb87d49e1afa695
Other notes:
- synsanity only works on 3.x kernels
- Google BBR only available on 4.7+ kernels
- Use iptables instead of firewalld