• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

[Linux] Firewall - DDOS - Flood - Some Protection

Bosphorus

Bosphorus

Member
Joined
Oct 15, 2010
Messages
139
Reaction score
12
Good Night!

I'll be explaining here in this simple tutorial, a small firewall to protect your server.
I'm no expert on the subject, but i will give some tips here.
This firewall works on policy DROP (Deny), and allow only the necessary.
This is quite logical, because if you will not use, why leave it open?

Come on, hands to work!

Create the file on this path.
Code: 
cd /etc/init.d/
vi firewall.sh  (USE YOUR EDITOR)

Edit the firewall.sh and copy this lines.
Code: 
#!/bin/bash

########################################
#            Firewall                                       #
########################################

# Variaveis

# Interface Externa (YOUR NETWORK INTERFACE)
if_ext=eth0

# Politica Default - DROP

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# ------------------------------------------------

# Protection against TCP syncookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Ignore ICMP
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Allow access to localhost
iptables -I INPUT -p all -s 127.0.0.1  -j ACCEPT

# Allow connections from origin
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow external access to ports
iptables -I INPUT -i $if_ext -p tcp --dport 80 -j ACCEPT # HTTP
iptables -I INPUT -i $if_ext -p tcp --dport 7171 -j ACCEPT # TIBIA
iptables -I INPUT -i $if_ext -p tcp --dport 7172 -j ACCEPT # TIBIA GAME PORT

# Limit connections on Tibia Ports
iptables -A INPUT -p tcp -m recent --rcheck --seconds 60 -j REJECT
iptables -A INPUT -p tcp --dport 7171 -m connlimit --connlimit-above 10 -m recent --set -j REJECT
iptables -A INPUT -p tcp --dport 7172 -m connlimit --connlimit-above 10 -m recent --set -j REJECT

# Allow SSH (PUTTY)
iptables -I INPUT -i $if_ext -p tcp --dport 22 -j ACCEPT

# Limit connections
iptables -I INPUT -p tcp -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp -m state --state NEW -m recent --update --seconds 3 --hitcount 20 -j DROP

# Block TCP-CONNECT scan attempts (SYN bit packets)
#iptables -A INPUT -p tcp --syn -j DROP

# Block TCP-SYN scan attempts (only SYN bit packets)
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH SYN -j DROP

# Block TCP-FIN scan attempts (only FIN bit packets)
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN -j DROP

# Block TCP-ACK scan attempts (only ACK bit packets)
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH ACK -j DROP

# Block TCP-NULL scan attempts (packets without flag)
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags ! SYN,RST,ACK,FIN,URG,PSH SYN,RST,ACK,FIN,URG,PSH -j DROP

#Block "Christmas Tree" TCP-XMAS scan attempts (packets with FIN, URG, PSH bits)
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN,URG,PSH -j DROP

# Block DOS - Teardrop
iptables -A INPUT -p UDP -f -j DROP

# Block DDOS - Smurf
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
iptables -A INPUT -p ICMP --icmp-type echo-request -m pkttype --pkttype broadcast -j DROP
iptables -A INPUT -p ICMP --icmp-type echo-request -m limit --limit 3/s -j ACCEPT

# Block DDOS - SYN-flood
iptables -A INPUT -p TCP --syn -m iplimit --iplimit-above 9 -j DROP

# Block DDOS - SMBnuke
iptables -A INPUT -p UDP --dport 135:139 -j DROP
iptables -A INPUT -p TCP --dport 135:139 -j DROP

# Block DDOS - Jolt
iptables -A INPUT -p ICMP -f -j DROP

# Block DDOS - Fraggle
iptables -A INPUT -p UDP -m pkttype --pkt-type broadcast -j DROP
iptables -A INPUT -p UDP -m limit --limit 3/s -j ACCEPT

# Creates logs of the rest of the connections
iptables -A INPUT -i $if_ext -p all -j LOG --log-prefix " - FIREWALL: droped -> "

Save the file.

Now, make him executable.
Code: 
chmod +x firewall.sh

Now, make him start with server.
Code: 
update-rc.d firewall.sh defaults

Do you can now execute your firewall with this command.
Code: 
sh firewall.sh

Can you see the DROP logs on
Code: 
cat /var/log/messages

Ready.

This is just a short tutorial on how to make your server more secure.
If have something wrong, please let me know!
Any questions, post them here.
This does not solve 100% of DDOS attacks.


If helped, give me reputation.
Thanks


Credits: Stian and Don Daniello
(Some rules)
 
Last edited:
Code: 
iptables v1.4.12: Unknown TCP flag `!'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.12: unknown option "--pkttype"
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.12: Couldn't load match `iplimit':No such file or directory
Using Ubuntu Server 12.04 64bit
 
You should contact your ISP and have the traffic dropped on the backbone before it hits you. If you're at the point where your firewall has to drop the traffic, then it's already consuming your available bandwidth and using your system's resources.

That's the only "bulletproof" way.
 
adrian alvarez said:
how to desactivate?
Click to expand...
You can use the commands below to clear all the rules or implement the code into your script 👍

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
 
Nostalrius said:
You can use the commands below to clear all the rules or implement the code into your script 👍

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
Click to expand...
why in my server Since installing this, it takes a long time to connect to my server and can not be opened more than 3 mc
 
Bosphorus said:
# Ignore ICMP
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
Click to expand...

🤬

Either
You know exactly what this does, and you're an ass.
Or
You really don't know everything this does, and you're the blind leading the blind.

The typical reasons to drop ICMP completely do not apply to the typical "sysadmins" who are gonna come across this and run it cargo cult. Because they are gonna be running a realmap server with a website, and so any attacker actually interested in them is already gonna know the host exists and is alive by the virtue of port 80 and port 7171 alone, or already knew exactly who they were by a side-band, say like being their competitor or amok tweenager turn skiddie with nothing better to do because of impoverished state.

👉Do not do this.
👉'Perceived' security
👉Disabling the full ICMP protocol may not be a good approach
👉JUST SAY NO TO CARGO CULT SYSOPS

Use this sysctl instead net.ipv4.icmp_echo_ignore_broadcasts = 1 because it's safe to default suggest and anyone looking at IPTables should be looking at sysctl too.

Imperative elucidation
 
Back
Top