iptables -A INPUT -i lo -j ACCEPT iptables -t filter -A INPUT -i eth0 -p tcp -s 0/0 --dport 3306 -m connlimit --connlimit-above 35 -j REJECT iptables -A INPUT -s 91.121.90.167 -p tcp --dport 3306 -j ACCEPT iptables -A INPUT -s 94.23.240.37 -p tcp --dport 3306 -j ACCEPT iptables -A INPUT -s 94.23.228.85 -p tcp --dport 3306 -j ACCEPT iptables -A INPUT -s 127.0.0.1 -p tcp --dport 3306 -j ACCEPT #iptables -A INPUT -s 0/0 -p tcp --dport 3306 -j DROP iptables -A INPUT -s 0/0 -p tcp --dport 3306 -j LOG # www iptables -t filter -A INPUT -i eth0 -p tcp -s 0/0 --dport 80 -m connlimit --connlimit-above 40 -j REJECT iptables -N syn_flood iptables -A INPUT -s 91.121.90.167 -j ACCEPT #iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 20123 --syn -m iplimit --iplimit-above 2 -j DROP iptables -A INPUT -p tcp --syn -j syn_flood iptables -A syn_flood -m limit --limit 150/s --limit-burst 300 -j LOG --log-prefix SYNFLOOD: iptables -A syn_flood -m limit --limit 300/s --limit-burst 700 -j RETURN iptables -A syn_flood -j DROP #Limiting the incoming icmp ping request: iptables -A INPUT -p icmp -m limit --limit 10/s --limit-burst 20 -j ACCEPT iptables -A INPUT -p icmp -m limit --limit 10/s --limit-burst 20 -j LOG --log-prefix PING-DROP: iptables -A INPUT -p icmp -j DROP
wycięcie 1 ip:
iptables -I INPUT -s 91.121.90.1 -j DROP
zapisanie regułek:
iptables-save > /etc/iptables.conf
wrzucenie regułek na starcie systemu (w /etc/network/interfaces)
auto eth0 iface eth0 inet static address 1.1.1.1 netmask 255.255.255.0 network 2.2.2.2 broadcast 1.1.1.255 gateway 1.1.1.254 pre-up iptables-restore < /etc/iptables.conf
https://help.ubuntu.com/community/IptablesHowTo
http://otland.net/blogs/don+daniello/linux-anti-ddos-iptables-rules-841/