I want to use ipchains to prevent dos and log some dos packets.
From netfilter documentation:
Syn-flood protection:
||
# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
I wonder why it add to FORWARD chain? The dos should be against the local machine, so I guess it should add to INPUT chain, right?
I have used the following rules to prevent dos to my machine. I have search the web and can't find any dos tool to try my rules. May I ask if the following suit my purpose? The following mainly limit the rate of syn to 1 per second. It logs the excessive syn flood packet information to log and then drop that packet.
iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT iptables -A INPUT -p tcp --syn -j LOG --log-prefix "SYN FLOOD " iptables -A INPUT -p tcp --syn -j DROP iptables -L
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN LOG level warning prefix `DEF ' DROP tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Thanks a lot.
Besides, I would like to use "echo 1 > /proc/sys/net/ipv4/tcp_syncookies" too. Why approach is better for prevent dos? What is the differences? Is it the best to use both simultaneourly?
Bill HKUST
