@ /dev/rob0
> I found a solution on how to tell iptables not to see the > continuous flow of SIP-packets as an ESTABLISHED connection. I > split > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > into > # iptables -A INPUT -p ! udp -m state --state ESTABLISHED -j ACCEPT This is wrong. You probably want UDP ESTABLISHED packets ....
Hmmm, it might not be the optimum but it works very well. All ESTABLISHED UDP "connections" can go down the ruleset until they are ACCEPTed or DROPed by other rule.
We're trying with different numbers. After I've accumulated some results with my numbers, I might try shorter --seconds values.
I think this depends on your non-DoS traffic. My attacker is sending up to 70 packets per second. So --seconds 10 --hitcount 20 is enough for me at the moment and the othe traffic can pass without problems.
I think you should DROP known attackers. When I was under that attack from mid-November, the ICMP would have significantly hurt my limited upstream bandwidth (cheap rural consumer-grade DSL here.)
You are right and I did it already, but for other consideration: If the attacker is doing IP-spoofing my REJECT packets will be send to an innocent IP. That is not what I want, because then unintentionally I become an attacker on this server with my reject-packets. If you want to see my ruleset, I attached it below. In particular I would like to make aware of: -A OUTPUT -s ! XXX.XXX.XXX.XXX/32 -j DROP Add to prevent other users of the server from doing IP-spoofing. I think every server admin should add this by default! Detlef Pilzecker Weitlahnerstraße 8 D - 83209 Prien am Chiemsee --------------------------------------- # Generated by iptables-save v1.4.2 on Wed Dec 1 18:31:18 2010 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p ! udp -m state --state ESTABLISHED -j ACCEPT -A INPUT -m state --state RELATED -j ACCEPT -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset -A INPUT -m state --state INVALID -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -p udp -m udp --dport 5060 -m recent --update --seconds 10 --hitcount 20 --rttl --name DOS_5060 --rsource -j DROP -A INPUT -p udp -m udp --dport 5060 -m recent --set --name DOS_5060 --rsource -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 300 --hitcount 5 --rttl --name DOS_22 --rsource -j DROP -A INPUT -p tcp -m tcp --dport 22 -m recent --set --name DOS_22 --rsource -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset -A FORWARD -m state --state INVALID -j DROP -A FORWARD -i lo -o lo -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset -A OUTPUT -m state --state INVALID -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -s ! XXX.XXX.XXX.XXX/32 -j DROP COMMIT # Completed on Wed Dec 1 18:31:18 2010 # Generated by iptables-save v1.4.2 on Wed Dec 1 18:31:18 2010 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed on Wed Dec 1 18:31:18 2010 # Generated by iptables-save v1.4.2 on Wed Dec 1 18:31:18 2010 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT # Completed on Wed Dec 1 18:31:18 2010 -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
