некоторые правила против некоторых видов DDoS
# Bogus TCP attack
-I INPUT 1 -m state —state INVALID -j DROP
-I INPUT 2 -p tcp -m tcp —tcp-flags SYN,FIN SYN,FIN -j DROP
-I INPUT 3 -p tcp -m tcp —tcp-flags SYN,RST SYN,RST -j DROP
# Spurf attack
-A INPUT -p icmp -m icmp —icmp-type address-mask-request -j DROP
-A INPUT -p icmp -m icmp —icmp-type timestamp-request -j DROP
-A INPUT -p icmp -m icmp -m limit —limit 1/second -j ACCEPT
# TCP Reset attack
-A INPUT -p tcp -m tcp —tcp-flags RST RST -m limit —limit 2/second —limit-burst 2 -j ACCEPT
# HTTP SYN flood attack (1-st variant)
-A INPUT -p tcp -m state —state NEW —dport 80 -m recent —update —seconds 10 —name SYNFLOODv1 -j DROP
-A INPUT -p tcp -m state —state NEW —dport 80 -m recent —set —name SYNFLOODv2 -j ACCEPT
# HTTP SYN flood attack (2-nd variant)
-A INPUT -m state —state NEW -p tcp -m tcp —syn -m recent —name SYNFLOODv2 —set
-A INPUT -m state —state NEW -p tcp -m tcp —syn -m recent —name SYNFLOODv2 —update —seconds 3 —hitcount 60 -j DROP
Tags: CentOS, DDoS, Debian, FreeBSD