ComputingConfidence
Assisting you in using the computer for home and business.
20 May 2012, Sunday 01:42:51
| IPTABLES protection against DoS |
 |
 |
 |
| Written by Carl Friis-Hansen |
| Friday, 01 August 2008 10:16 |
|
Using iptables directly, it is pretty easy to protect against Denial of Service on for example SMTP port 25. In the example below, I protect port 22 (SSH) and 25 (SMTP). The first script should be named /etc/network/if-up.d/dos_protection and set to executable. Remember to change to the right interface, it might not be correct with eth0. #!/bin/bash # name = /etc/network/if-up.d/dos_protection [ "${METHOD}" != loopback ] || exit 0 /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP /sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --set --name SMTP /sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SMTP -j DROP and the script for when the interface is put to sleep The seconf script should be named /etc/network/if-down.d/dos_protection and set to executable. Remember to change to the right interface, it might not be correct with eth0. #!/bin/bash # # name = /etc/network/if-down.d/dos_protection # [ "${METHOD}" != loopback ] || exit 0 /sbin/iptables -D INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH /sbin/iptables -D INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP /sbin/iptables -D INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --set --name SMTP /sbin/iptables -D INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SMTP -j DROP That's really that. |