[ale] DOS protection in iptables

Jim Kinney jim.kinney at gmail.com
Tue Apr 22 17:37:55 EDT 2014


That script was hoisted from here:

http://www.hermann-uwe.de/files/fw_laptop

That link has a better version and much better comments.


On Tue, Apr 22, 2014 at 4:39 PM, Chris Fowler
<cfowler at outpostsentinel.com>wrote:

>  I had someone today ask me about tracking DNAT connections.   I modified
> the iptables rules of the system so log new connections and I'm hammering
> it using Perl.  Now that I have gone down the rabbit hole I'm interested in
> tweaking  the standard rules to protect against DOS attacks.     The user
> has no control over the rules until we get to the custom section so  I'm
> looking to apply "best practices."
>
> I did find this info so some things I do will need to be via sysctl.
>
>
> https://forums.digitalpoint.com/threads/ddos-protection-script-for-iptables.1031456/
>
> I'm not sure why my limit is not working for logging.  I'm trying to limit
> logging to 20/min so that we do not
> fill flash.  I'm seeing a limit of 5 in the log file.
>
> ------------- [ cut here ]
> -------------------------------------------------------------------
> #!/bin/sh
> ######################################################################
> # Flush all rules
> ######################################################################
> /sbin/iptables -P INPUT ACCEPT
> /sbin/iptables -P FORWARD ACCEPT
> /sbin/iptables -P OUTPUT ACCEPT
> /sbin/iptables -F
> /sbin/iptables -X
> /sbin/iptables -t nat -F
> /sbin/iptables -t nat -X
> /sbin/iptables -t mangle -F
> /sbin/iptables -t mangle -X
>
> ######################################################################
> # Enable Masquerading on net 1
> ######################################################################
> /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> ######################################################################
> # Create a target to log all new inbound connections
> ######################################################################
> /sbin/iptables -N LOGP
> # Limit logging to 20/min to prevent filling up flash.
> /sbin/iptables -A LOGP -j LOG -m limit --limit 20/min --log-prefix '
> INBOUND TCP ' --log-level 4
> /sbin/iptables -A LOGP -j ACCEPT
> /sbin/iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> /sbin/iptables -A INPUT -p tcp -i '!' lo -j LOGP
>
> ######################################################################
> # Create a DNAT rules per configuration and allow access
> # to them via PPP interfaces.
> ######################################################################
> # DNAT: 10.0.6.201 -> 192.168.1.201
> /sbin/iptables -t nat -A PREROUTING -d 10.0.6.201 -j DNAT --to-destination
> 192.168.1.201
> /sbin/iptables -A INPUT -s 0/0 -i ppp+ -d 10.0.6.201 -j ACCEPT
> /sbin/iptables -A FORWARD -s 0/0 -i ppp+ -d 10.0.6.201 -j ACCEPT
> # DNAT: 10.0.6.254 -> 192.168.1.254
> /sbin/iptables -t nat -A PREROUTING -d 10.0.6.254 -j DNAT --to-destination
> 192.168.1.254
> /sbin/iptables -A INPUT -s 0/0 -i ppp+ -d 10.0.6.254 -j ACCEPT
> /sbin/iptables -A FORWARD -s 0/0 -i ppp+ -d 10.0.6.254 -j ACCEPT
>
> ######################################################################
> # Apply any custom rules from iptables config (if any are enabled).
> ######################################################################
> ######################################################################
> # END
> ######################################################################
> ------------- [ cut here ]
> -------------------------------------------------------------------
>
> Thanks,
> Chris
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>


-- 
-- 
James P. Kinney III

Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain


*http://heretothereideas.blogspot.com/
<http://heretothereideas.blogspot.com/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140422/ecf6deba/attachment.html>


More information about the Ale mailing list