On Thu, Aug 19, 2004 at 05:47:49PM +0500, Askar Ali Khan wrote: > hi, > > im try to protect my server from various type of DoS for example > Syn-flood protection, Furtive port scanner, Ping of death. Its our > server B protected by firewall machine A. > > client traffic follow A-------------->B > (fw) (server) You might find this useful for some of those: http://web.lemuria.org/Software/iptables.html > # Create a unique log entry for each type of packet we want to know about > ##Syn-flood protection > iptables -A LogPackets -p tcp --syn -m limit --limit 1/s -j LOG > --log-prefix "Syn-flood " To be honest one request a second isn't much of a flood... actually I don't know much about the "limit" option, but won't that trigger everytime you receive a SYN? > ## Furtive port scanner > iptables -A LogPackets -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit > --limit 1/s -j LOG --log-prefix "Furtive port scanner " I wouldn't worry about the limit for the SYN,ACK,FIN,RST packets.... but won't the RST only get triggered all the time? > ## Ping of death > iptables -A LogPackets -p icmp --icmp-type echo-request -m limit > --limit 1/s -j LOG --log-prefix "Ping of death " If anyone pings you this rule will be triggered, which is a little drastic. You want to guard against ping floods, but really the old "ping of death", an large ICMP echo request IIRC, is an old, *old* vulnerability that you shouldn't need to worry about now. Which remind me, I haven't really looked into it but Snort allegedly can differentiate between a ping generated by NMAP and a "normal" ping... anyway for IPTables to pick up those pings? -- "I think a church with a lightning rod shows a decided lack of confidence"
