Created
March 30, 2018 03:03
-
-
Save Calvin-Huang/44612ce878f1fcbfc6dd749ea4b5cd98 to your computer and use it in GitHub Desktop.
Minecraft Anti-DDoS iptables configuration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *raw | |
| :PREROUTING ACCEPT [0:0] | |
| :OUTPUT ACCEPT [0:0] | |
| -A PREROUTING -p tcp -m tcp --dport 25565 -j CT --notrack | |
| COMMIT | |
| *mangle | |
| :PREROUTING ACCEPT [0:0] | |
| :INPUT ACCEPT [0:0] | |
| :FORWARD ACCEPT [0:0] | |
| :OUTPUT ACCEPT [0:0] | |
| :POSTROUTING ACCEPT [0:0] | |
| :WHITELIST - [0:0] | |
| :SYN_FLOOD - [0:0] | |
| # Drop invalid packets | |
| -A PREROUTING -m conntrack --ctstate INVALID -j DROP | |
| # Drop TCP packets that are new and are not SYN | |
| -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP | |
| # Block packets with bogus TCP flags | |
| -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP | |
| -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP | |
| -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | |
| -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | |
| -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP | |
| -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP | |
| -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP | |
| -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP | |
| -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP | |
| -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP | |
| -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP | |
| -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP | |
| -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP | |
| # Block spoofed packets | |
| -A PREROUTING -s 224.0.0.0/3 -j DROP | |
| -A PREROUTING -s 169.254.0.0/16 -j DROP | |
| -A PREROUTING -s 172.16.0.0/12 -j DROP | |
| -A PREROUTING -s 192.0.2.0/24 -j DROP | |
| -A PREROUTING -s 192.168.0.0/16 -j DROP | |
| -A PREROUTING -s 10.0.0.0/8 -j DROP | |
| -A PREROUTING -s 0.0.0.0/8 -j DROP | |
| -A PREROUTING -s 240.0.0.0/5 -j DROP | |
| -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP | |
| # Drop ICMP packets | |
| -A PREROUTING -p icmp -j DROP | |
| # Drop fragments in all chains | |
| -A PREROUTING -f -j DROP | |
| # Drop unwanted packets | |
| -A PREROUTING -p tcp -j WHITELIST | |
| -A WHITELIST -i lo -j RETURN | |
| -A WHITELIST -p tcp -m tcp --dport 22 -j RETURN | |
| -A WHITELIST -p tcp -m tcp --dport 80 -j RETURN | |
| -A WHITELIST -p tcp -m tcp --dport 443 -j RETURN | |
| -A WHITELIST -p tcp -m tcp --dport 25565 -j RETURN | |
| -A WHITELIST -p tcp -m tcp --sport 25565 -j RETURN | |
| -A WHITELIST -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN | |
| -A WHITELIST -j DROP | |
| # Drop SYN flood packets | |
| -A PREROUTING -p tcp --syn -j SYN_FLOOD | |
| -A SYN_FLOOD -m limit --limit 10000/s --limit-burst 10000 -j RETURN | |
| -A SYN_FLOOD -j DROP | |
| COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
thanks <3