linux 防ddos
vi /usr/src/iptables-ddos.sh
echo "/bin/sh /usr/src/iptables-ddos.sh" >> /etc/rc.local
脚本如下:
#!/bin/bash
modprobe ipt_recent ip_list_hash_size=0 ip_list_tot=16384 ip_pkt_list_tot=200
iptables -F SYN_FLOODING
iptables -X SYN_FLOODING
iptables -N SYN_FLOODING
iptables -t filter -F
iptables -A INPUT -i eth0 -m state --state INVALID -j DROP
iptables -A INPUT -p all -m state --state ESTABLISHE,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --syn -m multiport --dports 80,443 -m limit --limit 1/m --limit-burst 300 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --syn -m multiport --dports 80,443 -j SYN_FLOODING
iptables -A SYN_FLOODING -i eth0 -p tcp --syn -m multiport --dports 80,443 -m recent --name SYN_FLOOD --update --second 120 --hitcount 1 -j ACCEPT
iptables -A SYN_FLOODING -i eth0 -p tcp --syn -m multiport --dports 80,443 -m recent --name SYN_FLOOD --set
iptables -A SYN_FLOODING -i eth0 -p tcp --syn -m multiport --dports 80,443 -j DROP
#linux DDOS
echo 2 > /proc/sys/net/ipv4/tcp_syn_retries
echo 2 > /proc/sys/net/ipv4/tcp_synack_retries
echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#禁止连续ping
iptables -A INPUT -p icmp --icmp-type 8 -m recent --name icmp_db --update --second 60 --hitcount 6 -j DROP
iptables -A INPUT -p icmp --icmp-type 8 -m recent --name icmp_db --set
#防止扫描端口(包含过滤连续ping功能,所以禁止ping要放在前面)
iptables -A INPUT -p all -m state --state NEW -m recent --name port_scan --update --seconds 1800 --hitcount 10 -j DROP
iptables -A INPUT -p tcp --syn -m state --state NEW -m multiport --dports 22122,80,7777,1723 -j ACCEPT
iptables -A INPUT -p all -m recent --name port_scan --set
# ip 欺骗防护
iptables -A INPUT -i ! lo -s 127.0.0.0/8 -j DROP
iptables -A INPUT -p all -s 10.254.0.0/24 -j ACCEPT
iptables -A INPUT -p all -s 10.0.0.0/8 -j DROP
iptables -A INPUT -p all -s 172.16.0.0/12 -j DROP
iptables -A INPUT -p all -s 192.168.0.0/16 -j DROP
iptables -A INPUT -p ! udp -s 224.0.0.0/4 -j DROP
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $i
done