iptables -A INPUT -i lo -j ACCEPT
iptables -t filter -A INPUT -i eth0 -p tcp -s 0/0 --dport 3306 -m connlimit --connlimit-above 35 -j REJECT
iptables -A INPUT -s 91.121.90.167 -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -s 94.23.240.37 -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -s 94.23.228.85 -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -p tcp --dport 3306 -j ACCEPT
#iptables -A INPUT -s 0/0 -p tcp --dport 3306 -j DROP
iptables -A INPUT -s 0/0 -p tcp --dport 3306 -j LOG

# www
iptables -t filter -A INPUT -i eth0 -p tcp -s 0/0 --dport 80 -m connlimit --connlimit-above 40 -j REJECT

iptables -N syn_flood
iptables -A INPUT -s 91.121.90.167 -j ACCEPT

#iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 20123 --syn -m iplimit --iplimit-above 2 -j DROP
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 150/s --limit-burst 300 -j LOG --log-prefix SYNFLOOD:
iptables -A syn_flood -m limit --limit 300/s --limit-burst 700 -j RETURN
iptables -A syn_flood -j DROP
#Limiting the incoming icmp ping request:
iptables -A INPUT -p icmp -m limit --limit  10/s --limit-burst 20 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 10/s --limit-burst 20 -j LOG --log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP

wycięcie 1 ip:

iptables -I INPUT -s 91.121.90.1 -j DROP

zapisanie regułek:

iptables-save > /etc/iptables.conf

wrzucenie regułek na starcie systemu (w /etc/network/interfaces)

auto eth0
iface eth0 inet static
        address 1.1.1.1
        netmask 255.255.255.0
        network 2.2.2.2
        broadcast 1.1.1.255
        gateway 1.1.1.254
        pre-up iptables-restore < /etc/iptables.conf

https://help.ubuntu.com/community/IptablesHowTo

http://otland.net/blogs/don+daniello/linux-anti-ddos-iptables-rules-841/

eduotos/firewall.txt · Last modified: 2011/04/18 14:55 by h4v
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki
 otosowy pasek