-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all,
I think about implementing a rule chain that protects me against DoS attacks. Well, I think that this may be done by putting all source addresses having more SYN packets send to me than normally (e.g. 60 syn-packets maximum). Every host sending more syn packets a minute should be dropped since then completely by putting its address into a special pool. Then all/any packets caused by this host should be log'n'dropped out. I unfortunately found no good rule chains that works fine so I hope that anyone can help me. This is the one I put into my firewall: iptables -N AutoDeny iptables -A AutoDeny -j LOG --log-prefix 'fw-auto-denied: ' iptables -A AutoDeny -j DROP iptables -N ChkAutoDeny iptables -A ChkAutoDeny -m recent --rcheck -j AutoDeny iptables -N Add2AutoDeny iptables -A Add2AutoDeny -m recent --set --name AutoDeny -j AutoDeny iptables -N AntiDoS iptables -A AntiDoS -m recent --set --name SYNs iptables -A AntiDoS -m recent --hitcount 60 --name SYNs -j Add2AutoDeny # allow "all" already established connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # put in the auto-deny-list checking iptables -A INPUT -m state --state NEW -j ChkAutoDeny # do check for new hosts to be auto denied iptables -A INPUT -m state --state NEW -j AntiDoS So. That's it. But it unfortunately doesn't work correctly. Why? Does anyone have a different way? Perhaps using the iplimit, pool, or even the recent extension? btw: how long is a source address kept in a `recent list`??? (it's better if it's only dropped whenever _I_ want to have dropped it) Thanks in advance, Christian Parpart. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE8+ih1Ppa2GmDVhK0RAqjaAJ4m3Ie4RZyhIxcjPXXnraB9A3kzIgCeKyYl VV04RLXsGHTDWMRp/q0ogtE= =xiiI -----END PGP SIGNATURE-----
