[ale] DOS protection in iptables

Chris Fowler cfowler at outpostsentinel.com
Tue Apr 22 16:39:34 EDT 2014 

I had someone today ask me about tracking DNAT connections.   I modified 
the iptables rules of the system so log new connections and I'm 
hammering it using Perl.  Now that I have gone down the rabbit hole I'm 
interested in tweaking  the standard rules to protect against DOS 
attacks.     The user has no control over the rules until we get to the 
custom section so  I'm looking to apply "best practices."

I did find this info so some things I do will need to be via sysctl.

https://forums.digitalpoint.com/threads/ddos-protection-script-for-iptables.1031456/

I'm not sure why my limit is not working for logging.  I'm trying to 
limit logging to 20/min so that we do not
fill flash.  I'm seeing a limit of 5 in the log file.

------------- [ cut here ] 
-------------------------------------------------------------------
#!/bin/sh
######################################################################
# Flush all rules
######################################################################
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X

######################################################################
# Enable Masquerading on net 1
######################################################################
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

######################################################################
# Create a target to log all new inbound connections
######################################################################
/sbin/iptables -N LOGP
# Limit logging to 20/min to prevent filling up flash.
/sbin/iptables -A LOGP -j LOG -m limit --limit 20/min --log-prefix ' 
INBOUND TCP ' --log-level 4
/sbin/iptables -A LOGP -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j 
ACCEPT
/sbin/iptables -A INPUT -p tcp -i '!' lo -j LOGP

######################################################################
# Create a DNAT rules per configuration and allow access
# to them via PPP interfaces.
######################################################################
# DNAT: 10.0.6.201 -> 192.168.1.201
/sbin/iptables -t nat -A PREROUTING -d 10.0.6.201 -j DNAT 
--to-destination 192.168.1.201
/sbin/iptables -A INPUT -s 0/0 -i ppp+ -d 10.0.6.201 -j ACCEPT
/sbin/iptables -A FORWARD -s 0/0 -i ppp+ -d 10.0.6.201 -j ACCEPT
# DNAT: 10.0.6.254 -> 192.168.1.254
/sbin/iptables -t nat -A PREROUTING -d 10.0.6.254 -j DNAT 
--to-destination 192.168.1.254
/sbin/iptables -A INPUT -s 0/0 -i ppp+ -d 10.0.6.254 -j ACCEPT
/sbin/iptables -A FORWARD -s 0/0 -i ppp+ -d 10.0.6.254 -j ACCEPT

######################################################################
# Apply any custom rules from iptables config (if any are enabled).
######################################################################
######################################################################
# END
######################################################################
------------- [ cut here ] 
-------------------------------------------------------------------

Thanks,
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140422/d541558e/attachment-0001.html>

More information about the Ale mailing list