IP Tables and Protection from DDoS Servers from Pro - emu64x/Rev-2.0-Lisa GitHub Wiki

IP Tables and DDoS Protection Attention: working with IPT on a remote machine is very dangerous, do not block your access to the server

Option # 1: Prohibition of entry from outside countries

  • To facilitate the Polish developers made a script.
  • [Download it] Be sure to configure the countries inside the script!
  • Create the folder /root/ddos
  • Enter: chmod +x count.sh
  • We can configure the countries for which we deny the connection, they are configured in the file itself, open and edit.
  • Enter: cd /root/ddos && ./count.sh
  • Started, the script made changes to the IPtables

P.S: from personal experience I know that in most cases, they are milking from Asia, mainly China (the cheapest servers for a botnet)

Option # 2: Configuring connections

  • Since there is one user per server connection, it is logical to make a limit.
  • For this we use the "connlimit" mod.
  • Enter: apt-get install user-mode-linux
  • Now with this mod we will limit the number of connections to the login port
  • Enter: iptables -A INPUT -p tcp --syn --dport 2106 -m connlimit --connlimit-above 20 -j REJECT
    • connlimit-above 20 - means that the login account for gradually 20 connections and no more than
  • On the game server, I think it is not relevant to put such a limit, with the free space zabyutsya and no one will go
  • But on the port mysql I would advise to put
  • Type: iptables -A INPUT -p tcp --syn --dport 3306 -m connlimit --connlimit-above 30 -j REJECT

Option # 3: Setting rules

  • Rules for IP Tables on the Internet a lot, but not all you need.
  • I used the rules with allcheats, which were created specifically for the la2 server.

#!/bin/sh IPT=/sbin/iptables UNIPORTS="1024:65535" INET_IFACE="eth0"

$IPT -F $IPT -X $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT $IPT -A OUTPUT -o eth0 -j ACCEPT $IPT -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT $IPT -A INPUT -i eth0 -p tcp --dport 2106 -j ACCEPT $IPT -A INPUT -i eth0 -p tcp --dport 3306 -j ACCEPT $IPT -A INPUT -i eth0 -p tcp --dport 7777 -j ACCEPT $IPT -A INPUT -p ICMP -i eth0 -j ACCEPT $IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport 1024:65353 --sport 53 -j ACCE PT $IPT -A INPUT -p tcp -m tcp -m multiport -i $INET_IFACE --dport 1024:65535 -j AC CEPT --sports 80,443 ! --syn $IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport 1024:65535 --sport 21 -j ACCE PT ! --syn $IPT -A INPUT -i eth0 -p tcp --dport 2106 -m state --state NEW -m connlimit --connlimit-above 20 -j REJECT $IPT -P INPUT DROP

Warning: the script only works for eth0

  • Establish these rules
  • Create a .sh file
  • Let it be located here: /root/server/ipt.sh
  • Fill it with our rules (see above)
  • We give him the right to execute:
  • Enter: cd /root/server
  • Enter: chmod +x ipt.sh
  • And run:
  • Enter: sh ./ipt.sh Everything, your server is completely ready.