Iptables ipt recent

From Tomp Online Wiki

Jump to: navigation, search

Introduction

This page documents how to use iptables ipt_recent module to reduce the effects of a DOS attack.

Configuring

If you are being DDOSd then you may need to increase the limits of IPs that can be monitored:

/etc/modprobe.d/ipt_recent 

options ipt_recent ip_list_tot=3000 ip_pkt_list_tot=100

You may need to reload the module for changes to take effect: 

service iptables stop
rmmod ipt_recent
modprobe ipt_recent

You can check the settings have been applied by looking in: 

/sys/module/ipt_recent/parameters/

IPTABLES Rules

Here is an example rule set to drop a DDOS against a specific IP: 

#Create black list chain and add IP to blacklist if you enter the chain.

iptables -N BLACKLIST
iptables -A BLACKLIST -p tcp -m recent --set --name blacklist -j DROP

#Rate limiting for a desintation IP

iptables -A INPUT -p tcp -d 192.168.1.1 --dport 80 -m recent --set --name ratelimit
iptables -A INPUT -p tcp -d 192.168.1.1  --dport 80 -m recent --update --seconds 60 --hitcount 20 --name ratelimit -j BLACKLIST
iptables -A INPUT -p tcp -d 192.168.1.1  --dport 80 -m recent --update --seconds 300 --name blacklist -j DROP

You can see what IPs have been blocked in: 

/proc/net/ipt_recent/
Retrieved from "http://www.tomp.co.uk/wiki/index.php/Iptables_ipt_recent"
Personal tools