Benötigen Sie IP-Tabellenregeln, um DoS/DDoS-Angriffe (IP-Spoofing und SYN-Flood-Angriffe) zu blockieren?

Question

#!/bin/bash
# Variables
IPTABLES="/sbin/iptables"
RLIMIT="-m limit --limit 10/s --limit-burst 10"
#---------------------------------------------------------------------------
# Drop invalid packets 
$IPTABLES -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
#----------------------------------------------------------------------------
#  Drop TCP packets that are new and are not SYN 
$IPTABLES -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
#---------------------------------------------------------------------------------------
#  Drop SYN packets with suspicious MSS value
$IPTABLES -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
#-------------------------------------------------------------------------------------------------------
# Block packets with bogus TCP flags
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
#---------------------------------------------------------------------------------------
# Limit TCP connections per source IP
$IPTABLES -A INPUT -p tcp -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset
#-----------------------------------------------------------------------------------------
# Protection against SYN FLOOD
$IPTABLES -N SYN_FLOOD
$IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD
$IPTABLES -A SYN_FLOOD $RLIMIT -j RETURN
$IPTABLES -A SYN_FLOOD -j DROP
#-------------------------------------------------------------------------------------------
# Save the rules
/sbin/iptables-save

Answer 1

#!/bin/bash
# Variables
IPTABLES="/sbin/iptables"
RLIMIT="-m limit --limit 10/s --limit-burst 10"
#---------------------------------------------------------------------------
# Drop invalid packets 
$IPTABLES -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
#----------------------------------------------------------------------------
#  Drop TCP packets that are new and are not SYN 
$IPTABLES -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
#---------------------------------------------------------------------------------------
#  Drop SYN packets with suspicious MSS value
$IPTABLES -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
#-------------------------------------------------------------------------------------------------------
# Block packets with bogus TCP flags
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
#---------------------------------------------------------------------------------------
# Limit TCP connections per source IP
$IPTABLES -A INPUT -p tcp -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset
#-----------------------------------------------------------------------------------------
# Protection against SYN FLOOD
$IPTABLES -N SYN_FLOOD
$IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD
$IPTABLES -A SYN_FLOOD $RLIMIT -j RETURN
$IPTABLES -A SYN_FLOOD -j DROP
#-------------------------------------------------------------------------------------------
# Save the rules
/sbin/iptables-save

Benötigen Sie IP-Tabellenregeln, um DoS/DDoS-Angriffe (IP-Spoofing und SYN-Flood-Angriffe) zu blockieren?

Antwort1

verwandte Informationen