[arch-general] IPTables DDoS
Nilesh Govindarajan
lists at itech7.com
Tue Jul 20 10:20:30 EDT 2010
On Tue, Jul 20, 2010 at 6:55 PM, vlad <vla at uni-bonn.de> wrote:
> On Tue, Jul 20, 2010 at 06:47:00PM +0530, Nilesh Govindarajan wrote:
>> On Tue, Jul 20, 2010 at 1:21 PM, vlad <vla at uni-bonn.de> wrote:
>> > Hello,
>> >
>> > The recent module is good for that:
>> > http://www.sollers.ca/blog/2008/iptables_recent
>> > http://www.google.com/search?q=iptables+recent
>> > I have in my fw script:
>> > "
>> > $TABLES -A limitations -m recent --name RECENT_FILTER --set
>> > $TABLES -A limitations -m recent --name RECENT_FILTER --rcheck --hitcount 6 -j recent_allowed_input
>> > $TABLES -A limitations --match limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "stuff: "
>> > $TABLES -A limitations -m recent --name RECENT_ALLOW --set
>> > $TABLES -A limitations -j DROP
>> >
>> > $TABLES -A recent_allowed_input -m recent --name RECENT_ALLOW --update --seconds 300 -j ACCEPT
>> > $TABLES -A recent_allowed_input -m recent --name RECENT_FILTER --remove -j DROP
>> > "
>> > Then you can do smth like
>> > "
>> > $TABLES -A INPUT <....> -j limitations
>> > "
>> > to apply the rules.
>> >
>> > Vlad
>> >
>> >
>>
>> Looks good, do your HTTP users face any problem with it?
> Don't know. I use this only with ssh and music deamon.
> Simply try.
>
>>
>
Friend, thanks a ton. I tested it with my IP itself, --hitcount 4. I
coupled it with the state module, to check for new connections.
It bans the IP for a minute when >4 requests are made parallely.
--
Regards,
Nilesh Govindarajan
Facebook: http://www.facebook.com/nilesh.gr
Twitter: http://twitter.com/nileshgr
Website: http://www.itech7.com
VPS Hosting: http://j.mp/arHk5e
More information about the arch-general
mailing list