`iptables` Commands and Examples with `bash` for Local Configuration or Webserver Configuration

bash-iptables.sh

# Example Commands to Prevent DDoS Floods by Dropping TCP Packets/Requests
sudo -E iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
sudo -E iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
sudo -E iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
sudo -E iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
sudo -E iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
sudo -E iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
sudo -E iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP


# Check Nginx Auth Log for Malicious/Failed Login Attempts over SSH
sudo -E cat /var/log/auth.log | grep "Failed password for invalid user"


# View iptables List (example: `spamlist`)
sudo -E iptables -L spamlist


# Example bash Script for Adding IP Address to iptables `spamlist`
BADIPS=$(cat /path/to/ddos-blocklist.txt)
for ipblock in $BADIPS
do
   iptables -A spamlist -s $ipblock -j LOG --log-prefix "DDOS SPAM DROPPED"
   iptables -A spamlist -s $ipblock -j DROP
   echo "Added: $ipblock to spamlist"
done


# References
# - https://linux.die.net/man/8/iptables
# - https://security.stackexchange.com/questions/17632/iptables-ddos-protection-working-with-per-client-ip-address-counter-and-udp
# - https://www.cyberciti.biz/tips/block-spamming-scanning-with-iptables.html
# - https://adamtheautomator.com/iptables-rules/
# - https://www.digitalocean.com/community/tutorials/how-to-set-up-an-iptables-firewall-to-protect-traffic-between-your-servers