iptables:Linux Iptables to block syn-flood attacks

A SYN flood is a form of denial-of-service attack in which an attacker sends asuccessionof SYN requests to a target’s system. This is awell knowntype of attack and is generally not effective against modern networks. It works if aserverallocates resources after receiving a SYN, but before it has received the ACK.

if Half-open connections bind resources on theserver, it may be possible to take up all these resources by flooding theserverwith SYN messages. Syn flood is common attack and it can be block with following iptables rules:

iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN

【--syn 等价于 --tcp-flags SYN,表示发起连接】

【!--syn 表示RST和ACK的包】

All incoming connection are allowed till limit is reached:

*–limit 1/s: Maximum averagematchingrate in seconds
*–limit-burst 3: Maximum initial number of packets to match

We use this iptables rules for most of our managed clientserver

# Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection
iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP

#Limiting the incoming icmp ping request:
iptables -A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT
First rule will accept ping connections to 1 per second, with an initial burst of 1. If this level crossed it will log the packet with PING-DROP in /var/log/message file. Third rule will drop packet if it tries to cross this
 limit. Fourth and final rule will allow you to use the continue established ping request of existing connection.

Where,

*‐‐limit rate: Maximum averagematchingrate: specified as a number, with an optional ‘/second’, ‘/minute’, ‘/hour’, or ‘/day’ suffix; the default is 3/hour.
*‐‐limit‐burst number: Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5.

You need to adjust the –limit-rate and –limit-burst according to yournetwork trafficand requirements.

Let us assume that you need to limit incoming connection to sshserver(port 22) no more than 10 connections in a 10 minute:

iptables -I INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 11 -j DROP
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

http://pikt.org/pikt/samples/iptables_syn_flood_programs.cfg.html



你可能感兴趣的:(iptables)