【教程】完整的iptables防火墙规则与DDOS攻击防护

完整的iptables防火墙规则与DDOS攻击防护

一、内核优化

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_syn_retries = 0

net.ipv4.tcp_synack_retries = 0

net.ipv4.tcp_max_syn_backlog = 65535

net.core.netdev_max_backlog = 65535

net.ipv4.tcp_max_tw_buckets = 65535

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle = 1

net.ipv4.tcp_timestamps = 0

net.ipv4.tcp_keepalive_time = 120

net.ipv4.tcp_fin_timeout = 30

net.ipv4.ip_local_port_range = 1024 65535

二、防火墙设置

*filter

:INPUT DROP [4:261]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [1384:1035760]

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m tcp ! –tcp-flags FIN,SYN,RST,ACK SYN -m state –state NEW -j DROP

-A INPUT -p tcp -m tcp –dport 80 -m connlimit –connlimit-above 20 –connlimit-mask 24 -j DROP

-A INPUT -p tcp -m tcp –dport 80 -m state –state NEW -m recent –set –name ddos –rsource

-A INPUT -p tcp -m tcp –dport 80 -m state –state NEW -m recent –update –seconds 60 –hitcount 30 –name ddos –rsource -j LOG –log-prefix “ddos”

-A INPUT -p tcp -m tcp –dport 80 -m state –state NEW -m recent –update –seconds 60 –hitcount 30 –name ddos –rsource -j DROP

-A INPUT -p icmp -m icmp –icmp-type 13 -j DROP

-A INPUT -p icmp -m icmp –icmp-type 14 -j DROP

-A INPUT -p icmp -m icmp –icmp-type any -j ACCEPT

-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m state –state NEW -m tcp –dport 21 -j ACCEPT

-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT

-A INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT

-A INPUT -p tcp -m state –state NEW -m tcp –dport 443 -j ACCEPT

-A INPUT -p udp -m state –state NEW -m udp –dport 53 -j ACCEPT

COMMIT

三、增加recent模块记录IP地址的数量（最大8100个）

# vi /etc/modprobe.conf

#增加下面一行

options ipt_recent ip_list_tot=3000 ip_pkt_list_tot=60

这里我们可以调整两个参数：

1) 允许的最大跟踪连接条目，CONNTRACK_MAX

2) 存储跟踪连接条目列表的哈希表的大小，HASHSIZE

3) 默认情况下，CONNTRACK_MAX = HASHSIZE * 8

# vi /etc/sysctl.conf

net.ipv4.netfilter.ip_conntrack_max = 1048576

复制代码

# vi /etc/modprobe.conf

options ip_conntrack hashsize=131072