Build Your Own DDoS Protection With Linux & IPtables
### Use SYNPROXY ###
/sbin/iptables -t raw -A PREROUTING -i $DEV -p tcp -m tcp --syn --dport $PORT -j CT --notrack
/sbin/iptables -t mangle -A INPUT -i $DEV -p tcp -m conntrack --ctstate INVALID,UNTRACKED --dport $PORT -j SYNPROXY \
--sack-perm --timestamp --wscale 7 --mss 1460
/sbin/iptables -t mangle -A INPUT -i $DEV -p tcp -m conntrack --ctstate INVALID --dport $PORT -j DROP
/sbin/sysctl -w net/ipv4/tcp_timestamps=1
/sbin/sysctl -w net/ipv4/tcp_syncookies=1
/sbin/sysctl -w net/netfilter/nf_conntrack_tcp_loose=0
/sbin/sysctl -w net/netfilter/nf_conntrack_max=5000000
echo 5000000 > /sys/module/nf_conntrack/parameters/hashsize
### DROP packets that are NEW, coming too faster than 200 SYN pps per src subnet ###
/sbin/iptables -t raw -A PREROUTING -i $DEV -p tcp -m tcp --dport $PORT --syn -m hashlimit --hashlimit-above 200/sec \
--hashlimit-burst 1000 --hashlimit-mode srcip --hashlimit-name syn --hashlimit-htable-size 2097152 \
--hashlimit-srcmask 24 -j DROP
### Drop SYN packets with suspicious MSS value ###
/sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
### Block spoofed packets ###
/sbin/iptables -t mangle -A PREROUTING -s ! -i lo -j DROP
## Method 1
/sbin/iptables -t mangle -A PREROUTING -s -j DROP
/sbin/iptables -t mangle -A PREROUTING -s -j DROP
/sbin/iptables -t mangle -A PREROUTING -s -j DROP
/sbin/iptables -t mangle -A PREROUTING -s -j DROP
/sbin/iptables -t mangle -A PREROUTING -s -j DROP
/sbin/iptables -t mangle -A PREROUTING -s -j DROP
/sbin/iptables -t mangle -A PREROUTING -s -j DROP
/sbin/iptables -t mangle -A PREROUTING -s -j DROP
## Method 2
ipset -N SpoofedPackets nethash
ipset -A SpoofedPackets
ipset -A SpoofedPackets
ipset -A SpoofedPackets
ipset -A SpoofedPackets
ipset -A SpoofedPackets
ipset -A SpoofedPackets
ipset -A SpoofedPackets
ipset -A SpoofedPackets
iptables -t mangle -A PREROUTING -m set --match-set SpoofedPackets src -j DROP
### SSH brute-force protection ###
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
### Protection against port scanning ###
/sbin/iptables -N port-scanning
/sbin/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
/sbin/iptables -A port-scanning -j DROP
### Drop fragments in all chains ###
/sbin/iptables -t mangle -A PREROUTING -f -j DROP
### Block packets with bogus TCP flags ###
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
### Block smurf attacks
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp -m icmp -j DROP
### Drop excessive RST packets to avoid smurf attacks
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
### How to identify the IP that is attacking you
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
### How to disconnect clients from your network interfaces (apt-get install dsniff)
tcpkill host
# Hint: Monitor nf_conntrack usage searched, found, new, etc.:
lnstat -c -1 -f nf_conntrack
