How to defend against SYN DDoS and Ping attacks using iptables

Configure firewall to prevent syn, ddos ​​attacks

 [root@m176com ~]# vim /etc/sysconfig/iptables
 在iptables中加入下面几行
 #anti syn，ddos
 -A FORWARD -p tcp --syn -m limit --limit 1/s --limit-burst 5 -j ACCEPT
 -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
 -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

Description: First line: Allow up to 5 new connections per second. Second line: Prevent various port scans. The third line: Ping flood attack (Ping of Death), which can be adjusted or turned off as needed

Restart the firewall

 [root@m176com ~]# /etc/init.d/iptables restart

Block an IP

 # iptables -I INPUT -s 192.168.0.1 -j DROP

How to prevent others from pinging me? ?

# iptables -A INPUT -p icmp -j DROP

Prevent synchronization packet flood (Sync Flood)

# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

Prevent various port scans

# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

Ping Flood Attack (Ping of Death)

# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

NMAP FIN/URG/PSH
 # iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
 
Xmas Tree
 # iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
 
Another Xmas Tree
 # iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
 
Null Scan(possibly)
 iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
 
SYN/RST
 # iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
 
SYN/FIN -- Scan(possibly)
# iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

Limit the sending speed of internal packets

 #iptables -A INPUT -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT   

Restrict the transfer of establishing a connection

 #iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT

The above is the detailed content of How to defend against SYN DDoS and Ping attacks using iptables. For more information, please follow other related articles on the PHP Chinese website!