adrian/config
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Update iptables

Browse source
This commit is contained in:
Adrian 2020-03-07 09:24:38 +01:00
parent e60d9c0c59
commit 6f80b8345d
2 changed files with 12 additions and 21 deletions

21
iptables/README.md
View file

@ -8,26 +8,9 @@ sudo systemctl enable iptables
## Apply and Report Rate Limits
The `ratelimit.rules` file adds new chains to rate limit subnets.
The `ratelimit.rules` file adds new chains to
limit the rate of new connections based on /16 subnets.
```sh
sudo iptables-restore -n < ratelimit.rules
# Common offenders
sudo iptables -t raw -A RATELIMIT_SUBNET -s 185.0.0.0/8 -j RATELIMIT_DEFAULT
sudo iptables -t raw -A RATELIMIT_SUBNET -s 45.0.0.0/8 -j RATELIMIT_DEFAULT
sudo iptables -t raw -A RATELIMIT_SUBNET -s 193.0.0.0/8 -j RATELIMIT_DEFAULT
# Default action
sudo iptables -t raw -A RATELIMIT_DEFAULT -p tcp --tcp-flags SYN,ACK SYN \
-m hashlimit --hashlimit-name drop_4h \
--hashlimit-above 4/hour --hashlimit-burst 2 \
--hashlimit-mode srcip,dstport --hashlimit-srcmask 16 -j DROP
# Log potential offenders
sudo iptables -t raw -A RATELIMIT_REPORT -p tcp --tcp-flags SYN,ACK SYN \
-m hashlimit --hashlimit-name report1 \
--hashlimit-above 1/second --hashlimit-burst 4 \
--hashlimit-mode srcip,dstport --hashlimit-srcmask 16 -j LOG \
--log-level 5 --log-prefix "ratelimit report1 "
```

12
iptables/ratelimit.rules
View file

@ -1,10 +1,10 @@
*raw
:RATELIMIT -
:RATELIMIT_ENFORCE -
:RATELIMIT_REPORT -
:RATELIMIT_SUBNET -
:RATELIMIT_DEFAULT -
-I PREROUTING -j RATELIMIT
-I PREROUTING -p tcp --tcp-flags SYN,ACK SYN -j RATELIMIT
-A RATELIMIT -s 127.0.0.0/8 -j RETURN
-A RATELIMIT -s 10.0.0.0/8 -j RETURN
@ -13,4 +13,12 @@
-A RATELIMIT -j RATELIMIT_SUBNET
-A RATELIMIT -j RATELIMIT_REPORT
-A RATELIMIT_ENFORCE -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 2 --hashlimit-mode srcip,dstport --hashlimit-name enforce --hashlimit-srcmask 16 -j DROP
-A RATELIMIT_REPORT -m hashlimit --hashlimit-above 1/min --hashlimit-burst 6 --hashlimit-mode srcip,dstport --hashlimit-name report1 --hashlimit-srcmask 16 -j LOG --log-prefix "ratelimit report1 " --log-level 5
-A RATELIMIT_SUBNET -s 185.0.0.0/8 -j RATELIMIT_ENFORCE
-A RATELIMIT_SUBNET -s 45.0.0.0/8 -j RATELIMIT_ENFORCE
-A RATELIMIT_SUBNET -s 193.0.0.0/8 -j RATELIMIT_ENFORCE
COMMIT