Last active
April 27, 2024 22:00
-
-
Save mattia-beta/bd5b1c68e3d51db933181d8a3dc0ba64 to your computer and use it in GitHub Desktop.
IPtables DDoS Protection for VPS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### 1: Drop invalid packets ### | |
| /sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP | |
| ### 2: Drop TCP packets that are new and are not SYN ### | |
| /sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP | |
| ### 3: Drop SYN packets with suspicious MSS value ### | |
| /sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP | |
| ### 4: Block packets with bogus TCP flags ### | |
| /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP | |
| /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP | |
| /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | |
| /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP | |
| /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | |
| /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP | |
| /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP | |
| /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP | |
| /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP | |
| /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP | |
| /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP | |
| /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP | |
| /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP | |
| /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP | |
| ### 5: Block spoofed packets ### | |
| /sbin/iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP | |
| /sbin/iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP | |
| /sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP | |
| /sbin/iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP | |
| /sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP | |
| /sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP | |
| /sbin/iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP | |
| /sbin/iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP | |
| /sbin/iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP | |
| ### 6: Drop ICMP (you usually don't need this protocol) ### | |
| /sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP | |
| ### 7: Drop fragments in all chains ### | |
| /sbin/iptables -t mangle -A PREROUTING -f -j DROP | |
| ### 8: Limit connections per source IP ### | |
| /sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset | |
| ### 9: Limit RST packets ### | |
| /sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT | |
| /sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP | |
| ### 10: Limit new TCP connections per second per source IP ### | |
| /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT | |
| /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP | |
| ### 11: Use SYNPROXY on all ports (disables connection limiting rule) ### | |
| #/sbin/iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack | |
| #/sbin/iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 | |
| #/sbin/iptables -A INPUT -m conntrack --ctstate INVALID -j DROP | |
| ### SSH brute-force protection ### | |
| /sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set | |
| /sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP | |
| ### Protection against port scanning ### | |
| /sbin/iptables -N port-scanning | |
| /sbin/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN | |
| /sbin/iptables -A port-scanning -j DROP |
What kind of attack can block?
https://www.stressthem.to/
I tested my server with this website but attack reaches the serverYou can analyze attack with tcpdump, view ips or packets which reaching server and block them.
How can block udp?
I am not sure if you are aware, but dropping all ICMP traffic is such a horrible idea. I would rate limit ICMP traffic and not completely drop it. There are some ICMP traffic that are required for network functionality!
You don't need rule 4 (Block packets with bogus TCP flags) since you have rule 2 (Drop TCP packets that are new and are not SYN). You have a redundant in your configuration.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You can analyze attack with tcpdump, view ips or packets which reaching server and block them.