iptables 1.4.8 skill

gistfile1.txt

limit icmp
````
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --set
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --update --seconds 3 --hitcount 2 -j DROP
````
and add to ipset blacklist
```
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --update --seconds 3 --hitcount 2 -j SET --add-set blacklist src
```
null route
```
ip route add blackhole 192.168.1.1/32
```

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #表明已经建立成功的连接和与主机发送出去的包相关的数据包都接受，如果没有这一步，后面的tcp连接无法建立起来

ipset

# Canada
ipset -F ca.zone
ipset -N ca.zone nethash
for IP in $(wget -O - http://www.ipdeny.com/ipblocks/data/countries/ca.zone)
        do ipset -A ca.zone $IP 
        echo $IP
done
iptables -A INPUT -m set --match-set ca.zone src -p tcp -m multiport --dports 21:25,135:139 -j DROP

system dynmic blacklist

ipset create dynmic-blacklist hash:ip hashsize 4096 timeout 300
iptables -A INPUT -m set --match-set dynmic-blacklist src -j DROP
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW -m recent --set
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW -m recent --update --seconds 3 --hitcount 20 -j SET --add-set dynmic-blacklist src

iptables -A INPUT -p UDP -m length --length 1:1024 -m recent --set --name GetStatus
iptables -A INPUT -p UDP -m string --algo bm --hex-string "|ff ff ff ff 67 65 74 73 74 61 74 75 73|" -m recent --update --seconds 1 --hitcount 5 --name GetStatus -j DROP

test

for i in `seq 1 5` ; do
  echo 'exit' | nc 192.168.1.1 22 ;
done

while true; do curl http://00/ &> /dev/null; echo -n "#"; sleep 0.01; done