https://github.com/spithash/iptables-kernel-ddos-protection

Iptables & Kernel (sysctl) ddos protection rules
https://github.com/spithash/iptables-kernel-ddos-protection

ddos-protection iptables-rules linux sysctl

Last synced: 3 months ago
JSON representation

Iptables & Kernel (sysctl) ddos protection rules

Host: GitHub
URL: https://github.com/spithash/iptables-kernel-ddos-protection
Owner: spithash
License: gpl-3.0
Created: 2023-06-20T19:27:32.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2024-01-09T18:23:49.000Z (over 1 year ago)
Last Synced: 2025-03-11T19:34:37.116Z (7 months ago)
Topics: ddos-protection, iptables-rules, linux, sysctl
Language: Shell
Homepage:
Size: 34.2 KB
Stars: 0
Watchers: 1
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# System Configuration and Security Settings

This repository contains configuration settings for enhancing system security and performance through sysctl and iptables rules. The provided settings are intended to be used in a Linux environment.

### Kernel Configuration (`/etc/sysctl.conf`)

## Set kernel printk levels for console messages
```
kernel.printk = 4 4 1 7
```
### Set the kernel panic timeout in seconds
```
kernel.panic = 10
```
### Set the sysrq key functionality (0 = disabled)
```
kernel.sysrq = 0
```
### Set the maximum size of a shared memory segment
```
kernel.shmmax = 4294967296
```
### Set the total amount of shared memory pages system-wide
```
kernel.shmall = 4194304
```
### Use process ID as the core dump filename
```
kernel.core_uses_pid = 1
```
### Set the maximum number of message bytes in a message queue
```
kernel.msgmnb = 65536
```
### Set the maximum size of a message in a message queue
```
kernel.msgmax = 65536
```
### Set the swappiness value for virtual memory management
```
vm.swappiness = 20
```
### Set the dirty ratio threshold for background writeback
```
vm.dirty_ratio = 80
```
### Set the dirty ratio threshold for triggering background writeback
```
vm.dirty_background_ratio = 5
```
### Set the maximum number of file handles the system can allocate
```
fs.file-max = 2097152
```
### Set the maximum number of packets in the network device backlog
```
net.core.netdev_max_backlog = 262144
```
### Set the default receive socket buffer size
```
net.core.rmem_default = 31457280
```
### Set the maximum receive socket buffer size
```
net.core.rmem_max = 67108864
```
### Set the default send socket buffer size
```
net.core.wmem_default = 31457280
```
### Set the maximum send socket buffer size
```
net.core.wmem_max = 67108864
```
### Set the maximum number of pending connections in the listen queue
```
net.core.somaxconn = 65535
```
### Set the maximum amount of option memory allowed per socket
```
net.core.optmem_max = 25165824
```
### Set thresholds for neighbor entry garbage collection
```
net.ipv4.neigh.default.gc_thresh1 = 4096
net.ipv4.neigh.default.gc_thresh2 = 8192
net.ipv4.neigh.default.gc_thresh3 = 16384
```
### Set the interval for neighbor entry garbage collection (in seconds)
```
net.ipv4.neigh.default.gc_interval = 5
```
### Set the time to consider a neighbor entry stale (in seconds)
```
net.ipv4.neigh.default.gc_stale_time = 120
```
### Set the maximum number of entries in the connection tracking table
```
net.netfilter.nf_conntrack_max = 10000000
```
### Disable TCP loose mode in connection tracking
```
net.netfilter.nf_conntrack_tcp_loose = 0
```
### Set TCP timeout values for established, close, close_wait, fin_wait connections
```
net.netfilter.nf_conntrack_tcp_timeout_established = 1800
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 10
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 20
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 20
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 20
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 20
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10
```
### Disable slow start after idle for TCP
```
net.ipv4.tcp_slow_start_after_idle = 0
```
### Set the local port range for ephemeral ports
```
net.ipv4.ip_local_port_range = 1024 65000
```
### Enable or disable PMTU discovery (1 = disabled)
```
net.ipv4.ip_no_pmtu_disc = 1
```
### Flush routing tables on interface add/removal
```
net.ipv4.route.flush = 1
```
### Set the maximum size of the IPv4 routing table
```
net.ipv4.route.max_size = 8048576
```
### Ignore broadcast ICMP echo requests
```
net.ipv4.icmp_echo_ignore_broadcasts = 1
```
### Ignore bogus ICMP error responses
```
net.ipv4.icmp_ignore_bogus_error_responses = 1
```
### Set the TCP congestion control algorithm to htcp
```
net.ipv4.tcp_congestion_control = htcp
```
### Set memory thresholds for TCP and UDP
```
net.ipv4.tcp_mem = 65536 131072 262144
net.ipv4.udp_mem = 65536 131072 262144
```
### Set receive buffer sizes for TCP and UDP
```
net.ipv4.tcp_rmem = 4096 87380 33554432
net.ipv4.udp_rmem_min = 16384
```
### Set send buffer sizes for TCP and UDP
```
net.ipv4.tcp_wmem = 4096 87380 33554432
net.ipv4.udp_wmem_min = 16384
```
### Set the maximum number of TIME-WAIT sockets in the system
```
net.ipv4.tcp_max_tw_buckets = 1440000
```
### Disable TCP tw_recycle and enable TCP tw_reuse
```
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_reuse = 1
```
### Set the maximum number of orphaned sockets
```
net.ipv4.tcp_max_orphans = 400000
```
### Enable TCP window scaling
```
net.ipv4.tcp_window_scaling = 1
```
### Enable TCP RFC 1337 protection
```
net.ipv4.tcp_rfc1337 = 1
```
### Enable TCP SYN cookies
```
net.ipv4.tcp_syncookies = 1
```
### Set the number of retries for SYN-ACK before giving up
```
net.ipv4.tcp_synack_retries = 1
```
### Set the number of retries for SYN before giving up
```
net.ipv4.tcp_syn_retries = 2
```
### Set the maximum number of pending SYN requests in the backlog
```
net.ipv4.tcp_max_syn_backlog = 16384
```
### Enable TCP timestamps
```
net.ipv4.tcp_timestamps = 1
```
### Enable TCP selective acknowledgment
```
net.ipv4.tcp_sack = 1
```
### Enable TCP Forward Acknowledgment
```
net.ipv4.tcp_fack = 1
```
### Set TCP ECN (Explicit Congestion Notification) mode (2 = enabled)
```
net.ipv4.tcp_ecn = 2
```
### Set the timeout for TCP FIN-WAIT-2 state
```
net.ipv4.tcp_fin_timeout = 10
```
### Set the idle time before sending a TCP keepalive probe
```
net.ipv4.tcp_keepalive_time = 600
```
### Set the interval between TCP keepalive probes
```
net.ipv4.tcp_keepalive_intvl = 60
```
### Set the number of TCP keepalive probes before considering the connection dead
```
net.ipv4.tcp_keepalive_probes = 10
```
### Disable saving metrics for TCP connections
```
net.ipv4.tcp_no_metrics_save = 1
```
### Enable or disable IP forwarding (0 = disabled)
### Note: If using Docker, you may need to enable IP forwarding to avoid warnings during container creation
```
net.ipv4.ip_forward = 0
```
### Disable ICMP redirect acceptance
```
net.ipv4.conf.all.accept_redirects = 0
```
### Disable sending ICMP redirects
```
net.ipv4.conf.all.send_redirects = 0
```
### Disable source routing
```
net.ipv4.conf.all.accept_source_route = 0
```
### Enable reverse path filtering
```
net.ipv4.conf.all.rp_filter = 1
```
# iptables Settings

### 1: Drop invalid packets ###
### Drop incoming packets with INVALID connection tracking state
```
iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
```
### 2: Drop TCP packets that are new and are not SYN ###
### Drop incoming non-SYN TCP packets in NEW connection state
```
iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
```
### 3: Drop SYN packets with suspicious MSS value ###
### Drop incoming TCP packets in NEW connection state with TCPMSS values outside the specified range
```
iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
```
### 4: Block packets with bogus TCP flags ###
### Drop incoming TCP packets with specific TCP flags combinations
```
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
```
### 5: Block spoofed packets ###
### Drop incoming packets from specific address ranges. You might want to adjust these if you're running Docker containers or you are actually using the below ip ranges.
```
iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
```
### 6: Drop ICMP (you usually don't need this protocol) ###
### Drop incoming ICMP packets
```
iptables -t mangle -A PREROUTING -p icmp -j DROP
```
### 7: Limit connections per source IP (80 in our case, you can adjust that value to your needs) ###
### Reject incoming TCP connections if the number of connections exceeds the limit
```
iptables -A INPUT -p tcp -m connlimit --connlimit-above 80 -j REJECT --reject-with tcp-reset
```
### 8: Drop fragments in all chains ###
### Drop incoming fragmented packets
```
iptables -t mangle -A PREROUTING -f -j DROP

```

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/spithash/iptables-kernel-ddos-protection

Awesome Lists containing this project

README