• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Linux Efficient IP Tables to protect a Debian VPS

Tatuy1

Tatuy1

Member
Joined
Mar 24, 2014
Messages
159
Solutions
1
Reaction score
13
Location
México
I have tried several iptables to defend my server of the ddos attacks, but the result is massive kicks.
 
Sort by date Sort by votes
You have to protect all ports - not only 7171/7172, but also ssh/sftp port and http port. I use something like this and for now it works:
Code: 
iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name HTTP --rsource
iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 --rttl --name SSH --rsource -j DROP
iptables -A INPUT -p tcp -m tcp --dport 7171 -m state --state NEW -m recent --set --name LOGIN --rsource
iptables -A INPUT -p tcp -m tcp --dport 7171 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 --rttl --name SSH --rsource -j DROP
iptables -A INPUT -p tcp -m tcp --dport 7172 -m state --state NEW -m recent --set --name GAME --rsource
iptables -A INPUT -p tcp -m tcp --dport 7172 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 --rttl --name SSH --rsource -j DROP
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 --rttl --name SSH --rsource -j DROP

IPTables will help you only, when the DDoS attack doesn't exceed your bandwith rate - if it does, then there is nothing you can do, besides renting a dedicated server/VPS with DDoS protection.

My best
 
Last edited:
Upvote 0 Downvote
djseban said:
You have to protect all ports - not only 7171/7172, but also ssh/sftp port and http port. I use something like this and for now it works:
Code: 
iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name HTTP --rsource
iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 --rttl --name SSH --rsource -j DROP
iptables -A INPUT -p tcp -m tcp --dport 7171 -m state --state NEW -m recent --set --name LOGIN --rsource
iptables -A INPUT -p tcp -m tcp --dport 7171 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 --rttl --name SSH --rsource -j DROP
iptables -A INPUT -p tcp -m tcp --dport 7172 -m state --state NEW -m recent --set --name GAME --rsource
iptables -A INPUT -p tcp -m tcp --dport 7172 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 --rttl --name SSH --rsource -j DROP
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 --rttl --name SSH --rsource -j DROP

IPTables will help you only, when the DDoS attack doesn't exceed your bandwith rate - if it does, then there is nothing you can do, besides renting a dedicated server/VPS with DDoS protection.

My best
Click to expand...

Whoa, there is a slight error in above, though it should work. But to be sure, here you have a proper script:
Code: 
iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name HTTP --rsource
iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 --rttl --name HTTP --rsource -j DROP
iptables -A INPUT -p tcp -m tcp --dport 7171 -m state --state NEW -m recent --set --name LOGIN --rsource
iptables -A INPUT -p tcp -m tcp --dport 7171 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 --rttl --name LOGIN --rsource -j DROP
iptables -A INPUT -p tcp -m tcp --dport 7172 -m state --state NEW -m recent --set --name GAME --rsource
iptables -A INPUT -p tcp -m tcp --dport 7172 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 --rttl --name GAME --rsource -j DROP
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 --rttl --name SSH --rsource -j DROP
 
Upvote 0 Downvote
Thank you very much!!! but I have some problems. Look:
I tested with:
-A INPUT -j REJECT
-A FORWARD -j REJECT
To reject all other inbound - default deny unless explicitly allowed policy and the server not allowing me to connect.

And then, apparently using this configuration everything works properly:
Code: 
*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP, 7171, 7172 and SSH connections
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 7171 -j ACCEPT
-A INPUT -p tcp --dport 7172 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name HTTP --rsource
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 --rttl --name HTTP --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 7171 -m state --state NEW -m recent --set --name LOGIN --rsource
-A INPUT -p tcp -m tcp --dport 7171 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 --rttl --name LOGIN --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 7172 -m state --state NEW -m recent --set --name GAME --rsource
-A INPUT -p tcp -m tcp --dport 7172 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 --rttl --name GAME --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 --rttl --name SSH --rsource -j DROP

# Allow ping
#  note that blocking other types of icmp packets is considered a bad idea by some
#  remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:
#  https://security.stackexchange.com/questions/22711
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

What do you think?
 
Upvote 0 Downvote
With my first test I used something like this:
Code: 
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name HTTP --rsource
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 --rttl --name HTTP --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 7171 -m state --state NEW -m recent --set --name LOGIN --rsource
-A INPUT -p tcp -m tcp --dport 7171 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 --rttl --name LOGIN --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 7172 -m state --state NEW -m recent --set --name GAME --rsource
-A INPUT -p tcp -m tcp --dport 7172 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 --rttl --name GAME --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 --rttl --name SSH --rsource -j DROP
-A INPUT -j REJECT
-A FORWARD -j REJECT

But the problem is it block me all access, may be I needed:
Code: 
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 7171 -j ACCEPT
-A INPUT -p tcp --dport 7172 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT

But do not know if this is risky or it will give me the same problems as before. What do you recommend me my dear friend?
 
Upvote 0 Downvote
You should throw out all rules in IPTables and leave only that rules, that I gave you. If you have almost clean Ubuntu installation, it should work flawlessly.
IPTables is completely blocking access because of those lines:
Code: 
-A INPUT -j REJECT
-A FORWARD -j REJECT
because it is ordered to reject all incoming and forwarded data. Clean IPTables config, add rules from post #4 and everything should work.
 
Upvote 0 Downvote

Similar threads

G
  • Question
Windows (Too much delay) Vps/Website Hosted
Replies
11
Views
600
Gaber Zen
G
O
  • Question
Myacc Dont conecct hosting to vps
Replies
3
Views
290
Odisk
O
L
  • Question
Windows Help me please, someone is making DDOS on my OT.
Replies
9
Views
766
imperianic
imperianic
kozmo
  • Question
Windows Ovh VPS port 3306 closed
Replies
4
Views
561
kozmo
kozmo
douglasscherner
  • Question
Linux VPS using just 1 core
Replies
6
Views
680
douglasscherner
douglasscherner
Tbol
  • Question
TFS 1.X+ Problem with Protected Zone. Tp issue
Replies
2
Views
225
Tbol
Tbol
Back
Top