IPtables rules against SYN flood

Get the latest on wired & wireless, talk network setups, get help with connectivity problems, web hosts, etc.
Post Reply
User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

IPtables rules against SYN flood

Post by Cool_Fire » Tue Sep 21, 2010 4:49 am

Hello, I've been thinking of a ruleset for iptables that blocks syn floods from reaching the target service.
This is what I've got so far:

Code: Select all

# Insert new rules (in reverse order, because it's insert, not append)
iptables -I FORWARD -m state --state NEW -m limit --limit 100/second -j ACCEPT
iptables -I FORWARD -m recent --update --seconds 60 -j DROP

# Append new rules
iptables -A FORWARD -p tcp -m recent --set -j REJECT --reject-with tcp-reset
iptables -A FORWARD -m recent --set -j DROP
However, this just blocks everything. So that's hardly the result I was hoping for.
It's supposed to allow a max of 100 SYN packets/second, and after that block the IP until there has been 60 seconds of silence from that address.

Chroma
n00b
Posts: 4
Joined: Mon Feb 07, 2011 12:13 pm

Re: IPtables rules against SYN flood

Post by Chroma » Tue Feb 08, 2011 11:06 am

Hi,

I did not used iptables for a while, but what about doing it by reverse thinking.
You accept everything until you reach the limit :

Code: Select all

# Accepting forward for all IP, but set the IP in the recent list
iptables -I FORWARD -p tcp -m state --state NEW -m recent --set -j ACCEPT
# Rejecting packet when hitcount is over 100 during one second
iptables -I FORWARD -p tcp -m state --state NEW -m recent --update --seconds 1--hitcount 101 -j DROP
Any luck?

Chroma.

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: IPtables rules against SYN flood

Post by Cool_Fire » Tue Feb 08, 2011 4:55 pm

Good call, but I've since found out the router I wanted to implement it on doesn't support the right module.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

Post Reply