iptables ddos limit configuration, prevent denial of service attacks on Linux (Match extension limit)

When we operate a web server, it should apply basic protection to avoid any possibility that a “good” person (with all the sarcasm), is dedicated to run JMeter (excellent software designed for load tests) with the idea of saturate our server.

These are things that really happens, it is nothing paranoid.

One way to avoid these attacks is through iptables (I have a broader input on iptables), a configuration example would be:

Source   
#!/bin/bash
iptables -F
iptables -A INPUT -m state --state ESTABLISHED,RELATED -m comment --comment "Allow existing connections" -j ACCEPT
iptables -A INPUT -i lo -m comment --comment "Allow internal connections" -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m limit --limit 1/second --limit-burst 5 -m comment --comment "Allow port 80" -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m comment --comment "Write to log possible attack DDOS port 80" -j LOG --log-prefix " *ATTACK DOS PORT 80* "
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW -m limit --limit 1/second --limit-burst 5 -m comment --comment "Allow port 443" -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW -m comment --comment "Write to log possible attack DDOS port 443" -j LOG --log-prefix " *ATTACK DOS PORT 443* "
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m limit --limit 1/second --limit-burst 5 -m comment --comment "Allow port 22" -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m comment --comment "Write to log possible attack DDOS port 22" -j LOG --log-prefix " *ATTACK DOS PORT 22* "
iptables -A INPUT -m comment --comment "Deny everything else" -j DROP

This case is for a web server with SSL and access port 22 for administration.

They are limiting attacks using the MATCH EXTENSION “limit”, 1 new connections per second (average) and bursts of 5. After each of these rules is another that uses the TARGET EXTENSION “log” to log attempts DOS attacks.

Depending on the Linux distribution the default is logged in a file or another:

  • Red Hat, CentOS, Fedora in /var/log/messages
  • Debian, Ubuntu in /var/log/kern.log

It is highly recommended to take a look at iptables man page.

Leave a Reply