{"id":20768026,"url":"https://github.com/spithash/iptables-kernel-ddos-protection","last_synced_at":"2026-04-28T09:35:14.122Z","repository":{"id":178239360,"uuid":"656354852","full_name":"spithash/iptables-kernel-ddos-protection","owner":"spithash","description":"Iptables \u0026 Kernel (sysctl) ddos protection rules","archived":false,"fork":false,"pushed_at":"2024-01-09T18:23:49.000Z","size":35,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-03T02:43:28.054Z","etag":null,"topics":["ddos-protection","iptables-rules","linux","sysctl"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/spithash.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-06-20T19:27:32.000Z","updated_at":"2023-07-08T21:29:15.000Z","dependencies_parsed_at":"2024-01-09T18:55:52.786Z","dependency_job_id":"e2ad885e-b876-42e1-812c-b04a402a348e","html_url":"https://github.com/spithash/iptables-kernel-ddos-protection","commit_stats":null,"previous_names":["spithash/iptables-kernel-ddos-protection"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/spithash/iptables-kernel-ddos-protection","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spithash%2Fiptables-kernel-ddos-protection","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spithash%2Fiptables-kernel-ddos-protection/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spithash%2Fiptables-kernel-ddos-protection/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spithash%2Fiptables-kernel-ddos-protection/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/spithash","download_url":"https://codeload.github.com/spithash/iptables-kernel-ddos-protection/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spithash%2Fiptables-kernel-ddos-protection/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32375612,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-28T09:24:15.638Z","status":"ssl_error","status_checked_at":"2026-04-28T09:24:15.071Z","response_time":56,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ddos-protection","iptables-rules","linux","sysctl"],"created_at":"2024-11-17T11:34:34.482Z","updated_at":"2026-04-28T09:35:14.106Z","avatar_url":"https://github.com/spithash.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# System Configuration and Security Settings\n\nThis repository contains configuration settings for enhancing system security and performance through sysctl and iptables rules. The provided settings are intended to be used in a Linux environment.\n\n### Kernel Configuration (`/etc/sysctl.conf`)\n\n## Set kernel printk levels for console messages\n``` \nkernel.printk = 4 4 1 7 \n``` \n### Set the kernel panic timeout in seconds\n``` \nkernel.panic = 10 \n``` \n### Set the sysrq key functionality (0 = disabled)\n``` \nkernel.sysrq = 0 \n``` \n### Set the maximum size of a shared memory segment\n``` \nkernel.shmmax = 4294967296 \n``` \n### Set the total amount of shared memory pages system-wide\n```\nkernel.shmall = 4194304 \n``` \n### Use process ID as the core dump filename\n```\nkernel.core_uses_pid = 1 \n``` \n### Set the maximum number of message bytes in a message queue\n```\nkernel.msgmnb = 65536 \n``` \n### Set the maximum size of a message in a message queue\n```\nkernel.msgmax = 65536 \n``` \n### Set the swappiness value for virtual memory management\n```\nvm.swappiness = 20 \n``` \n### Set the dirty ratio threshold for background writeback\n```\nvm.dirty_ratio = 80 \n``` \n### Set the dirty ratio threshold for triggering background writeback\n```\nvm.dirty_background_ratio = 5 \n``` \n### Set the maximum number of file handles the system can allocate\n```\nfs.file-max = 2097152 \n``` \n### Set the maximum number of packets in the network device backlog\n```\nnet.core.netdev_max_backlog = 262144 \n``` \n### Set the default receive socket buffer size\n```\nnet.core.rmem_default = 31457280 \n``` \n### Set the maximum receive socket buffer size\n```\nnet.core.rmem_max = 67108864 \n``` \n### Set the default send socket buffer size\n```\nnet.core.wmem_default = 31457280 \n``` \n### Set the maximum send socket buffer size\n```\nnet.core.wmem_max = 67108864 \n``` \n### Set the maximum number of pending connections in the listen queue\n```\nnet.core.somaxconn = 65535 \n``` \n### Set the maximum amount of option memory allowed per socket\n```\nnet.core.optmem_max = 25165824 \n``` \n### Set thresholds for neighbor entry garbage collection\n```\nnet.ipv4.neigh.default.gc_thresh1 = 4096 \nnet.ipv4.neigh.default.gc_thresh2 = 8192 \nnet.ipv4.neigh.default.gc_thresh3 = 16384 \n``` \n### Set the interval for neighbor entry garbage collection (in seconds)\n```\nnet.ipv4.neigh.default.gc_interval = 5 \n``` \n### Set the time to consider a neighbor entry stale (in seconds)\n```\nnet.ipv4.neigh.default.gc_stale_time = 120 \n``` \n### Set the maximum number of entries in the connection tracking table\n```\nnet.netfilter.nf_conntrack_max = 10000000 \n``` \n### Disable TCP loose mode in connection tracking\n```\nnet.netfilter.nf_conntrack_tcp_loose = 0 \n``` \n### Set TCP timeout values for established, close, close_wait, fin_wait connections\n``` \nnet.netfilter.nf_conntrack_tcp_timeout_established = 1800 \nnet.netfilter.nf_conntrack_tcp_timeout_close = 10 \nnet.netfilter.nf_conntrack_tcp_timeout_close_wait = 10 \nnet.netfilter.nf_conntrack_tcp_timeout_fin_wait = 20 \nnet.netfilter.nf_conntrack_tcp_timeout_last_ack = 20 \nnet.netfilter.nf_conntrack_tcp_timeout_syn_recv = 20 \nnet.netfilter.nf_conntrack_tcp_timeout_syn_sent = 20 \nnet.netfilter.nf_conntrack_tcp_timeout_time_wait = 10 \n``` \n### Disable slow start after idle for TCP\n```\nnet.ipv4.tcp_slow_start_after_idle = 0 \n``` \n### Set the local port range for ephemeral ports\n```\nnet.ipv4.ip_local_port_range = 1024 65000 \n``` \n### Enable or disable PMTU discovery (1 = disabled)\n```\nnet.ipv4.ip_no_pmtu_disc = 1 \n``` \n### Flush routing tables on interface add/removal\n```\nnet.ipv4.route.flush = 1 \n``` \n### Set the maximum size of the IPv4 routing table\n```\nnet.ipv4.route.max_size = 8048576 \n``` \n### Ignore broadcast ICMP echo requests\n```\nnet.ipv4.icmp_echo_ignore_broadcasts = 1 \n``` \n### Ignore bogus ICMP error responses\n```\nnet.ipv4.icmp_ignore_bogus_error_responses = 1 \n``` \n### Set the TCP congestion control algorithm to htcp\n```\nnet.ipv4.tcp_congestion_control = htcp \n``` \n### Set memory thresholds for TCP and UDP\n``` \nnet.ipv4.tcp_mem = 65536 131072 262144 \nnet.ipv4.udp_mem = 65536 131072 262144 \n``` \n### Set receive buffer sizes for TCP and UDP\n``` \nnet.ipv4.tcp_rmem = 4096 87380 33554432 \nnet.ipv4.udp_rmem_min = 16384 \n``` \n### Set send buffer sizes for TCP and UDP\n``` \nnet.ipv4.tcp_wmem = 4096 87380 33554432 \nnet.ipv4.udp_wmem_min = 16384 \n``` \n### Set the maximum number of TIME-WAIT sockets in the system\n```\nnet.ipv4.tcp_max_tw_buckets = 1440000 \n``` \n### Disable TCP tw_recycle and enable TCP tw_reuse\n``` \nnet.ipv4.tcp_tw_recycle = 0 \nnet.ipv4.tcp_tw_reuse = 1 \n``` \n### Set the maximum number of orphaned sockets\n``` \nnet.ipv4.tcp_max_orphans = 400000 \n``` \n### Enable TCP window scaling\n```\nnet.ipv4.tcp_window_scaling = 1 \n``` \n### Enable TCP RFC 1337 protection\n```\nnet.ipv4.tcp_rfc1337 = 1 \n``` \n### Enable TCP SYN cookies\n```\nnet.ipv4.tcp_syncookies = 1 \n``` \n### Set the number of retries for SYN-ACK before giving up\n```\nnet.ipv4.tcp_synack_retries = 1 \n``` \n### Set the number of retries for SYN before giving up\n``` \nnet.ipv4.tcp_syn_retries = 2 \n``` \n### Set the maximum number of pending SYN requests in the backlog\n```\nnet.ipv4.tcp_max_syn_backlog = 16384 \n``` \n### Enable TCP timestamps\n```\nnet.ipv4.tcp_timestamps = 1 \n``` \n### Enable TCP selective acknowledgment\n```\nnet.ipv4.tcp_sack = 1 \n``` \n### Enable TCP Forward Acknowledgment\n``` \nnet.ipv4.tcp_fack = 1 \n``` \n### Set TCP ECN (Explicit Congestion Notification) mode (2 = enabled)\n``` \nnet.ipv4.tcp_ecn = 2 \n``` \n### Set the timeout for TCP FIN-WAIT-2 state\n``` \nnet.ipv4.tcp_fin_timeout = 10 \n``` \n### Set the idle time before sending a TCP keepalive probe\n``` \nnet.ipv4.tcp_keepalive_time = 600 \n``` \n### Set the interval between TCP keepalive probes\n```\nnet.ipv4.tcp_keepalive_intvl = 60 \n``` \n### Set the number of TCP keepalive probes before considering the connection dead\n```\nnet.ipv4.tcp_keepalive_probes = 10 \n``` \n### Disable saving metrics for TCP connections\n```\nnet.ipv4.tcp_no_metrics_save = 1\n``` \n### Enable or disable IP forwarding (0 = disabled)\n### Note: If using Docker, you may need to enable IP forwarding to avoid warnings during container creation\n```\nnet.ipv4.ip_forward = 0 \n``` \n### Disable ICMP redirect acceptance\n```\nnet.ipv4.conf.all.accept_redirects = 0 \n``` \n### Disable sending ICMP redirects\n```\nnet.ipv4.conf.all.send_redirects = 0 \n``` \n### Disable source routing\n```\nnet.ipv4.conf.all.accept_source_route = 0 \n``` \n### Enable reverse path filtering\n```\nnet.ipv4.conf.all.rp_filter = 1\n``` \n# iptables Settings\n\n### 1: Drop invalid packets ### \n### Drop incoming packets with INVALID connection tracking state\n```\niptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP\n``` \n### 2: Drop TCP packets that are new and are not SYN ### \n### Drop incoming non-SYN TCP packets in NEW connection state\n``` \niptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP\n``` \n### 3: Drop SYN packets with suspicious MSS value ### \n### Drop incoming TCP packets in NEW connection state with TCPMSS values outside the specified range\n``` \niptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP\n``` \n### 4: Block packets with bogus TCP flags ### \n### Drop incoming TCP packets with specific TCP flags combinations\n``` \niptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP\niptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP\niptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP\niptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP\niptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP\niptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP\niptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP\n``` \n### 5: Block spoofed packets ### \n### Drop incoming packets from specific address ranges. You might want to adjust these if you're running Docker containers or you are actually using the below ip ranges.\n``` \niptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP\niptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP\niptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP\niptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP\niptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP\niptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP\niptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP\niptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP\niptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP\n``` \n### 6: Drop ICMP (you usually don't need this protocol) ### \n### Drop incoming ICMP packets\n``` \niptables -t mangle -A PREROUTING -p icmp -j DROP\n``` \n### 7: Limit connections per source IP (80 in our case, you can adjust that value to your needs) ### \n### Reject incoming TCP connections if the number of connections exceeds the limit\n``` \niptables -A INPUT -p tcp -m connlimit --connlimit-above 80 -j REJECT --reject-with tcp-reset\n``` \n### 8: Drop fragments in all chains ### \n### Drop incoming fragmented packets\n``` \niptables -t mangle -A PREROUTING -f -j DROP\n\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspithash%2Fiptables-kernel-ddos-protection","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspithash%2Fiptables-kernel-ddos-protection","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspithash%2Fiptables-kernel-ddos-protection/lists"}