AntiDDoS Iptables Rules

This is used for general discussion that is not necessarily server-related.
Post Reply
User avatar
lilsheep
New to forums
New to forums
Posts: 3
https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
Joined: Tue Jul 18, 2023 10:34 am
Location: Spain, Andalucia.

AntiDDoS Iptables Rules

Post by lilsheep »

This are some old rules I made for a proxy I had.
You just need to replace the 9900 numbers(which are the dport) to the port you want to protect on your server, for example if you have a minecraft server running in port 25565(default port) you will need to replace 9900 with 25565.

Also you will need to replace this 51.161.98.214/32 with your vps ip, for example if my vps ip is 192.168.1.1(example ip) then you will have to make it look like this 192.168.1.1/32.



First do this command:
nano /etc/ssh/sshd_config

Now it will open a file on your terminal, search for this 3 lines and change the values you have to the ones right here, you can use ctrl + w to search in nano.

LoginGraceTime 30s
MaxAuthTries 3
MaxSessions 99999
MaxStartups 500000


Once you have changed that, do ctrl + x to close nanno, press "y" to save changes and then press enter.
This will help mostly with socket attacks to your ssh port.

Now enter this command on your terminal:
nano /etc/sysctl.conf /

And paste all this in the last line:

Code: Select all

net.ipv4.icmp_echo_ignore_all = 1
net.netfilter.nf_conntrack_max = 20000000
net.core.somaxconn = 20000000
net.netfilter.nf_conntrack_tcp_timeout_established = 10
This will do the following:
-net.ipv4.icmp_echo_ignore_all = 1 will Ignore ICMP echo requests (ping) sent to the system.

-net.netfilter.nf_conntrack_max = 20000000: Sets the maximum number of tracked connections in the netfilter connection tracking table to 20 million.

-net.core.somaxconn = 20000000: Sets the maximum number of connections that can be queued for acceptance by a listening socket to 20 million.(Helps a lot against your vps crashing when its going through a socket atttack)

-net.netfilter.nf_conntrack_tcp_timeout_established = 10: Sets the timeout value for established TCP connections to 10 seconds.(This basically will close idle connections when 10 seconds have passed, I would lower a little the value if your vps spects are low.


Now run this commands to reload all the new config.

Code: Select all

systemctl restart ssh
sysctl -p
sysctl -p /etc/sysctl.conf
Now we come with the rules remember what I said, you need to change ports and ip address.

Code: Select all

iptables -t mangle -A PREROUTING -p tcp -m length --length 74:400 --syn -m tcpmss --mss 1460 -m connlimit --connlimit-above 2 --connlimit-mask 16 -j DROP
iptables -t raw -A PREROUTING -p tcp -m tcp --tcp-flags SYN,ACK,PSH,RST,FIN,URG SYN -m connlimit --connlimit-above 2 -j DROP
iptables -A PREROUTING -t mangle -p tcp --dport 9900 -m state --state NEW -m recent --set
iptables -A PREROUTING -t mangle -p tcp --dport 9900 -m state --state NEW -m recent --update --seconds 12 --hitcount 2 -j DROP

iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
iptables -t mangle -A PREROUTING -p tcp --syn -m conntrack --ctstate NEW -m tcpmss --mss 1453:1470 --dport 9900 -m connlimit --connlimit-above 2 -j DROP

iptables -A INPUT -d 51.161.98.214/32 -p tcp -m tcp --dport 9900 --tcp-flags SYN,ACK SYN -m conntrack --ctstate NEW -m hashlimit --hashlimit-above 1/min --hashlimit-burst 3 --hashlimit-mode srcip --hashlimit-name rangelimit --hashlimit-htable-expire 300000 --hashlimit-srcmask 24 -j DROP


iptables -t mangle -A PREROUTING -p tcp --dport 9900 -m state --state NEW -m bpf --bytecode "23,48 0 0 0,84 0 0 240,21 19 0 96,48 0 0 0,84 0 0 240,21 0 16 64,48 0 0 9,21 0 14 17,40 0 0 6,69 12 0 8191,177 0 0 0,72 0 0 2,21 0 9 1194,80 0 0 8,21 0 7 56,80 0 0 17,21 0 5 0,64 0 0 18,21 0 3 352,128 0 0 0,53 0 1 90,6 0 0 65535,6 0 0 0 " -m connlimit --connlimit-upto 1 --connlimit-mask 24  -j ACCEPT

iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,ACK SYN -m multiport --dports 1:65535 -m conntrack --ctstate NEW -m hashlimit --hashlimit-upto 5/min --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name portlimit --hashlimit-htable-expire 120000 --hashlimit-srcmask 24 -j ACCEPT



iptables -t mangle -A PREROUTING -p tcp -m state --state NEW --syn --dport 9900 -m bpf --bytecode "50,0 0 0 0,48 0 0 8,37 46 0 128,37 0 45 93,48 0 0 0,84 0 0 15,21 0 42 5,48 0 0 9,21 0 40 6,40 0 0 6,69 38 0 8191,177 0 0 0,80 0 0 27,21 0 35 8,80 0 0 12,116 0 0 4,21 0 32 8,80 0 0 20,21 0 30 2,80 0 0 24,21 0 28 1,80 0 0 25,21 0 26 3,80 0 0 28,21 0 24 1,80 0 0 29,21 0 9900 1,80 0 0 30,21 0 20 4,48 0 0 6,69 0 18 64,69 17 0 128,40 0 0 2,2 0 0 15,48 0 0 0,84 0 0 15,36 0 0 4,7 0 0 0,96 0 0 15,28 0 0 0,2 0 0 3,177 0 0 0,80 0 0 12,116 0 0 4,36 0 0 4,7 0 0 0,96 0 0 3,29 0 1 0,6 0 0 65536,6 0 0 0," -m connlimit --connlimit-above 2 --connlimit-mask 16 -j DROP
iptables -t mangle -A PREROUTING -p tcp -m state --state NEW --syn --dport 9900 -m bpf --bytecode "50,0 0 0 0,48 0 0 8,37 46 0 64,37 0 45 29,48 0 0 0,84 0 0 15,21 0 42 5,48 0 0 9,21 0 40 6,40 0 0 6,69 38 0 8191,177 0 0 0,80 0 0 27,21 0 35 8,80 0 0 12,116 0 0 4,21 0 32 8,80 0 0 20,21 0 30 2,80 0 0 24,21 0 28 1,80 0 0 25,21 0 26 3,80 0 0 28,21 0 24 1,80 0 0 29,21 0 9900 1,80 0 0 30,21 0 20 4,48 0 0 6,69 0 18 64,69 17 0 128,40 0 0 2,2 0 0 15,48 0 0 0,84 0 0 15,36 0 0 4,7 0 0 0,96 0 0 15,28 0 0 0,2 0 0 3,177 0 0 0,80 0 0 12,116 0 0 4,36 0 0 4,7 0 0 0,96 0 0 3,29 0 1 0,6 0 0 65536,6 0 0 0," -m connlimit --connlimit-upto 2 --connlimit-mask 24 -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t mangle -P PREROUTING DROP

iptables --new-chain limit-by-ip-chain
iptables -A limit-by-ip-chain -m hashlimit --hashlimit-upto 10/sec --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name per_ip_conn_rate_limit -j ACCEPT
iptables -A limit-by-ip-chain -j DROP
iptables -A limit-by-ip-chain -m hashlimit --hashlimit-upto 10/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name per_ip_conn_rate_limit -j ACCEPT
iptables -A limit-by-ip-chain -j DROP

I know its a lot of things and you might be scared, if you have any question just answer to this thread I will be glad to help, also if somehow it quicks you out of your vps, iptable rules gets deleted when you restart your vps so dont worry about it(that will be very rare btw).

Also check if when introducing any rule it gives some kind of error i´ll fix it for you as it can vary in some OS.
This patch 99% of DDoS attacks so if you were having that problem with nfo you probably wont have it anymore.
Also if you had any past iptable rules pleaso do:

Code: Select all

Iptables -X
Iptables -F
To clean all them.
Also put the rules in the order they are in this post and do it one by one.

If this helped you lmk :)
Top
Post Reply

Return to “General”