Skip to content

Instantly share code, notes, and snippets.

@tuxmartin

tuxmartin/iptables_limit.md

Last active August 31, 2022 06:47
Show Gist options
  • Save tuxmartin/ad12e336c9f60e311048e95e230bab3c to your computer and use it in GitHub Desktop.
Save tuxmartin/ad12e336c9f60e311048e95e230bab3c to your computer and use it in GitHub Desktop.
Download ZIP
IPTABLES - limit connections & security
Raw
iptables_limit.md

syn-flood protection

Limit the number of incoming TCP connections.

iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP

--limit 1/s: Maximum average matching rate in seconds

--limit-burst 3: Maximum initial number of packets to match

Limit incoming connection to single TCP port.

Limit incoming connection to HTTP server (port TCP 80) no more than 4 connections in a 10 seconds.

iptables -I INPUT 1 -p tcp --dport 80 -m state --state NEW -m recent --name http --update --seconds 10 --hitcount 5 -j REJECT --reject-with tcp-reset
iptables -I INPUT 2 -p tcp --dport 80 -m state --state NEW -m recent --name http --set

or

iptables -I INPUT 1 -p tcp --dport 80 -m state --state NEW -m recent --name http --update --seconds 10 --hitcount 5 -j DROP
iptables -I INPUT 2 -p tcp --dport 80 -m state --state NEW -m recent --name http --set

Force SYN packets check

Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them.

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Force Fragments packets check

Packets with incoming fragments drop them. This attack result into Linux server panic such data loss.

iptables -A INPUT -f -j DROP

XMAS packets

Incoming malformed XMAS packets drop them.

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

Drop all NULL packets

Incoming malformed NULL packets.

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment