Pages

Wednesday, January 9, 2008

Linux Iptables Limit the number of incoming tcp connection / syn-flood attacks

step 1:

Enable iptables in 3,4 & 5 run level

/sbin/chkconfig iptables --list

/sbin/chkconfig iptables on

/sbin/service iptables status

/sbin/service iptables start


step 2:
Basics of iptables

/sbin/iptables -L

/sbin/iptables -vL

/sbin/iptables -nL

/sbin/iptables -t nat -L

/sbin/iptables -F


step 2:
#run this script
# incoming syn-flood protection

iptables -N SYN_FLOOD
iptables -A INPUT -p tcp --syn -j SYN_FLOOD
iptables -A SYN_FLOOD -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A SYN_FLOOD -j DROP

#Limiting the incoming icmp ping request:

iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT




* -N : create user chain.
* -A : append chain rule
* INPUT : INPUT table handles inbond (traffic from inside to outside) traffic
* OUTPUT : OUTPUT table handles outbond (traffic from inside to outside) traffic
* LOG : write log with prefix PING-DROP in file /var/log/syslog
* --syn : Only match TCP packets with the SYN bit set and the ACK,RST and
FIN bits cleared. Such packets are used to request TCP connec‐
tion initiation.
* ‐‐limit rate: Maximum average matching rate: specified as a number, with an optional ‘/second’, ‘/minute’, ‘/hour’, or ‘/day’ suffix; the default is 3/hour.

* ‐‐limit‐burst number:
Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5.


* ACCEPT :means to let the packet through.

* DROP : means to drop the packet on the floor.

* QUEUE : means to pass the packet to userspace.

* RETURN :
means stop traversing this chain and resume at the next rule in the previous
(calling) chain. If the end of a built-in chain is reached or a rule
in a built-in chain with target RETURN is matched, the target specified
by the chain policy determines the fate of the packet.

1 comment:

Unknown said...

its nice Really useful blog.Good work keeping this updated! linux flash drive Thanks a lot!