• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!
  • 2026 staff recruitment is open! Check it out and consider applying!

Linux Help with IPTables

Dankoo

Dankoo

Active Member
Joined
Sep 4, 2010
Messages
1,007
Reaction score
27
I'm running:

Linux myserver 2.6.32-32-server #62-Ubuntu SMP Wed Apr 20 22:07:43 UTC 2011 x86_64 GNU/Linux

with apt-get update, upgrade and dist-upgrade

I'm facing some issues, first, what's the best iptable? (maybe another one not listed? please, wich?)

Don daniello's [Linux] Anti DDoS iptables rules
PHP: 
echo "Block TCP-CONNECT scan attempts (SYN bit packets)"
iptables -A INPUT -p tcp --syn -j DROP
echo "Block TCP-SYN scan attempts (only SYN bit packets)"
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH SYN -j DROP
echo "Block TCP-FIN scan attempts (only FIN bit packets)"
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN -j DROP
echo "Block TCP-ACK scan attempts (only ACK bit packets)"
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH ACK -j DROP
echo "Block TCP-NULL scan attempts (packets without flag)"
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags ! SYN,RST,ACK,FIN,URG,PSH SYN,RST,ACK,FIN,URG,PSH -j DROP
echo "Block "Christmas Tree" TCP-XMAS scan attempts (packets with FIN, URG, PSH bits)"
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN,URG,PSH -j DROP

echo "Block DOS - Ping of Death"
iptables -A INPUT -p ICMP --icmp-type echo-request -m length --length 60:65535 -j ACCEPT
echo "Block DOS - Teardrop"
iptables -A INPUT -p UDP -f -j DROP
echo "Block DDOS - SYN-flood"
iptables -A INPUT -p TCP --syn -m iplimit --iplimit-above 9 -j DROP
echo "Block DDOS - Smurf"
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
iptables -A INPUT -p ICMP --icmp-type echo-request -m pkttype --pkttype broadcast -j DROP
iptables -A INPUT -p ICMP --icmp-type echo-request -m limit --limit 3/s -j ACCEPT
echo "Block DDOS - UDP-flood (Pepsi)"
iptables -A INPUT -p UDP --dport 7 -j DROP
iptables -A INPUT -p UDP --dport 19 -j DROP
echo "Block DDOS - SMBnuke"
iptables -A INPUT -p UDP --dport 135:139 -j DROP
iptables -A INPUT -p TCP --dport 135:139 -j DROP
echo "Block DDOS - Connection-flood"
iptables -A INPUT -p TCP --syn -m iplimit --iplimit-above 3 -j DROP
echo "Block DDOS - Fraggle"
iptables -A INPUT -p UDP -m pkttype --pkt-type broadcast -j DROP
iptables -A INPUT -p UDP -m limit --limit 3/s -j ACCEPT
echo "Block DDOS - Jolt"
iptables -A INPUT -p ICMP -f -j DROP

stian's http://otland.net/f138/limit-number-connections-dos-prevention-103408/
PHP: 
iptables -N conn-flood
iptables -I INPUT 1 -p tcp –syn -j conn-flood
iptables -A conn-flood -m limit –limit 7/s –limit-burst 20 -j RETURN
iptables -A conn-flood -j DROP
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -j DROP

When I execute them I receive:

Don Daniello's:

root@myserver:/home/myserver/server# ./ddos.sh
'ptables v1.4.4: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.4.4: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.4.4: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.4.4: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`).
'ptables v1.4.4: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.4.4: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.4.4: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.4.4: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.4: Couldn't load match `iplimit':/lib/xtables/libipt_iplimit.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.4.4: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.4: unknown option `--pkttype'
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.4.4: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.4.4: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.4.4: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.4.4: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.4.4: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.4: Couldn't load match `iplimit':/lib/xtables/libipt_iplimit.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.4.4: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.4.4: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
Click to expand...

stian's:
root@myserver:/home/myserver/server# ./ddos.sh
Bad argument `syn'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `limit'
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.4.4: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.4.4: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
Click to expand...
 
Last edited:
Sort by date Sort by votes
Code: 
iptables -N conn-flood
iptables -I INPUT 1 -p tcp --syn -j conn-flood
iptables -A conn-flood -m limit --limit 7/s --limit-burst 20 -j RETURN
iptables -A conn-flood -j DROP
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -j DROP
less rules = less cpu usage during heavy attack :p you don't need most of the rules in that other set of rules anyway :p
 
Upvote 0 Downvote
Ok.

When I execute line by line, it's ok.

But when I try to create a .sh file and execute, I receive the errors posted above... lol
 
Upvote 0 Downvote
they're stian's not mine
be aware that the limit module doesn't perform rate limiting based on source IP addr, resulting in global limiting being applied (makes it very easy to deny your services)

consider using hashlimit instead
 
Upvote 0 Downvote
Cyko you are pro i know that :P

Can you make a ip tables which is configured. Because i suck and dont understand much :P

Thanks.
 
Upvote 0 Downvote
I dont have the knowlegde to do that :(

If you had a server, how would u configure it or any links to good ones.
 
Upvote 0 Downvote
Back
Top