• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!
  • 2026 staff recruitment is open! Check it out and consider applying!

Ddos protection, TEST!

A

Axelor

Member
Joined
Sep 2, 2010
Messages
505
Reaction score
9
hello,

would this help to have less dos and ddos?

its not tested yet,

PHP: 
#!/bin/sh

INTERNET="eth0"
IPTABLES="iptables"
LAN="eth1"

# Flush all chains
$IPTABLES --flush

# Loopback is un firewalled
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Allow unlimited local traffic
$IPTABLES -A INPUT -i $LAN -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN -j ACCEPT

# Allow follow up requests
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Throttle inbound ssh connections 
$IPTABLES -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
# Drop packets after second attempt ( 3rd try fails )
$IPTABLES -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 -j DROP

# Allow incoming port 22 (ssh) connections from internet
$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22 -m state --state NEW -j ACCEPT

# DNS Rate limiter ( DoS protection )
$IPTABLES -I INPUT -p tcp --dport 53 -i eth0 -m state --state NEW -m recent --set
$IPTABLES -I INPUT -p udp --dport 53 -i eth0 -m state --state NEW -m recent --set
$IPTABLES -I INPUT -p udp --dport 53 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP
$IPTABLES -I INPUT -p udp --dport 53 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP


# Services :

# Allow DNS resolution and zone transfers with primary server
$IPTABLES -A INPUT -i $INTERNET -p udp --destination-port 53 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNET -p udp --source-port 53 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 53 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNET -p tcp --source-port 53 -j ACCEPT

$IPTABLES -A OUTPUT -o $INTERNET -p udp --source-port 53 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --source-port 53 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -j ACCEPT

# Allow web ( http and https )
$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 80 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 443 -m state --state NEW -j ACCEPT

# allow outbound secure web
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 443 -m state --state NEW -j ACCEPT


iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --policy OUTPUT DROP
 
Sort by date Sort by votes
That's certainly not universal. What if my WAN connectivity is eth4?

This is not something that should be scripted as a utility. An experienced admin should make the if-pre-up.d and if-post-down.d scripts purpose-built by hand.
 
Upvote 0 Downvote
Back
Top