On Tue, 5 Jul 2016 06:53:07 +0000 (UTC) Josh Day <conna666@xxxxxxxxx> wrote: > I'm curious if anyone of you has read this article > https://javapipe.com/iptables-ddos-protection and tried any of the > rules/settings. I read it today but I'm not sure what to make of it, so > thought you guys could maybe share your opinion. The *first* rule in PREROUTING should drop INVALID packets (the rule should use '-I PREROUTING'). It makes no sense to waste one extra CPU cycle processing them. This should be standard on all firewalls. In TCP, I think only a SYN packet can be NEW; all other TCP packets for non-established (or maybe non-seen) conns are supposed to be INVALID because they cannot be matched to a tracked conn. Dropping all ICMP packets is wrong; ICMP is required for TCP/IP to work properly. And to drop only ICMP ECHO packets, it's better to use the kernel function that does that earlier: "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all". The rules to drop private, documentation, LL and mcast addresses are too inclusive as written. That is, they drop such packets from all interfaces; they should only drop packets from the internet-facing interface(s). Only the rule that handles 127/8 is reasonably right. N -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
