On Tue, 11 Mar 2014 14:12:37 -0300 Thiago Oliveira <cpv.thiago@xxxxxxxxx> wrote: > Mr. Jesper, > > I had a time now and I did execute the script SYN-PROXY and getting this Output. > > root@spweb02:~# ./syn-proxy.sh -v -i eth0 -p 80 > WARNING: Shell env variable IPTABLES_CMD is undefined > WARNING: Fallback to default IPTABLES_CMD=/sbin/iptables > iptables: No chain/target/match by that name. > WARNING -- Error (1) when executing the iptables command: > "iptables -t raw -I PREROUTING -i eth0 -p tcp -m tcp --syn --dport 80 > -j CT --notrack" > iptables v1.4.8: unknown option `--sack-perm' > Try `iptables -h' or 'iptables --help' for more information. > WARNING -- Error (2) when executing the iptables command: > "iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state > INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss > 1460" > iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state > INVALID -j DROP > > Maybe my iptables version doesn't support this? Exactly... you need iptables v1.4.21, you can run the commands below: wget http://www.netfilter.org/projects/iptables/files/iptables-1.4.21.tar.bz2 tar xvf iptables-1.4.21.tar.bz2 cd iptables-1.4.21/ ./configure && make sudo make install Remember you also need a newer kernel... minimum kernel 3.13, but preferably the upcoming nf-next kernel, for the conntrack scaling: https://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/ git clone git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git cd nf-next/ make menuconfig #(select all netfilter modules) make -j24 make install #(depend on your distro) #On Debian perhaps also run these: export VER=`cat include/config/kernel.release` depmod -a ${VER} mkinitramfs -o /boot/initrd.img-$VER $VER update-grub2 # (reboot and select kernel) Good luck, fighting your DDoS... --Jesper > On Tue, Mar 11, 2014 at 8:19 AM, Jesper Dangaard Brouer > <netdev@xxxxxxxxxx> wrote: > > On Tue, 11 Mar 2014 04:23:39 -0300 > > Thiago Oliveira <cpv.thiago@xxxxxxxxx> wrote: > > > >> I am looking for to add protection to firewall (IPTABLES based) > >> specifically for SYN flood and DDoS attack to start with and, to that > >> end, was trawling through the archives of this mailing lists and other > >> places Google suggested I visit. > >> > >> Unfortunately, what I found suggests that there is some debate about > >> how best to approach this. > >> Specifically, many postings suggest using a 'limit' module or TCP flag > >> combinations, but other postingssay that such rules will not help and > >> in fact may even themselves act as a kind of internal DoS! > > > > Yes, unfortunately many of the iptables modules with state, have not > > (yet) been optimized for parallel processing (this is work in progress, > > at some point they will hopefully all scale and avoid serialization on > > their internal state). Note, normal/simple iptables rules without > > state is capable of parallel processing. > > > > > >> So my question is, has there been a resolution to this case? Can I > >> protect my Linux Firewall using IPTABLES? > > > > You are in luck. I recently gave a talk on the subject of using > > iptables/netfilter to protect against SYN-flood DoS attacks. We have > > recently developed a module called SYNPROXY that address this. > > > > YouTube videos: > > https://www.youtube.com/watch?v=BklSqr9t4uA > > > > Slides: > > http://people.netfilter.org/hawk/presentations/devconf2014/ > > > > Script: > > https://github.com/netoptimizer/network-testing/blob/master/iptables/iptables_synproxy.sh > > > > And extra (not in slides) is that I recently optimized conntrack > > new-and-del operations, by implementing "parallel" locking. These > > changes will appear in kernel 3.14. > > http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/51681 > > > > I would appreciate if people can test these recent conntrack > > optimizations, the kernel code is avail in Pablo's nf-next tree: > > > > https://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/ > > > > I'm willing to help to provide build kernels for your system, if you > > can try/test these changes in production... > > > > -- > > Best regards, > > Jesper Dangaard Brouer > > MSc.CS, Sr. Network Kernel Developer at Red Hat > > Author of http://www.iptv-analyzer.org > > LinkedIn: http://www.linkedin.com/in/brouer -- Best regards, Jesper Dangaard Brouer MSc.CS, Sr. Network Kernel Developer at Red Hat Author of http://www.iptv-analyzer.org LinkedIn: http://www.linkedin.com/in/brouer -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html