我需要使用 iptables 对所有端口(tcp 和 udp)的传入连接设置数据包大小限制,使其不超过 1500 字节。如果违反此规则,则发送数据包的 IP 将被阻止。这就是我希望保护自己免受 DDOS 攻击的方法。
答案1
这将执行您所要求的操作(更改您的计算机的接口名称):
doug@s19:~/iptables/misc$ cat length-limit
#!/bin/sh
FWVER=0.01
#
# length-limit 2022.08.07 Ver:0.01
# test packet length syntax
# For a test.
# see also ask 1422353.
#
echo "length-limit packets. $FWVER..\n"
# The location of the iptables program
#
IPTABLES=/sbin/iptables
# Set some stuff
# Adjust these values for your system.
#
EXTIF="br0"
UNIVERSE="0.0.0.0/0"
LAN="192.168.111.0/24"
# Clear old INPUT table rules
#
$IPTABLES -F INPUT
# Check the BAD GUY list for already banned IPs:
# Use a short timeout for testing, but suggest longer for real use.
# Consider using a bit mask here, as often bad guys just move to a different IP on the same subnet.
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 1 --seconds 30 --name BADGUY_LONG -j DROP
# Not sure the max payload length, but it is 16 bits, so try 65535.
# And if one tries 65536 the below error is generated:
# iptables v1.8.4 (nf_tables): length: bad value for option "--length" near "65536", or out of range (0-65535).
$IPTABLES -A INPUT -i $EXTIF -m length --length 1500:65535 -m recent --set --name BADGUY_LONG -j DROP
其结果是:
doug@s19:~/iptables/misc$ sudo iptables -xvnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3 4498 DROP all -- br0 * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 30 hit_count: 1 name: BADGUY_LONG side: source mask: 255.255.255.255
1 1500 DROP all -- br0 * 0.0.0.0/0 0.0.0.0/0 length 1500:65535 recent: SET name: BADGUY_LONG side: source mask: 255.255.255.255
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
我在另一台计算机上用以下命令对其进行了测试:
doug@s15:~/diag/tcpdump/captures/035$ ping -c 2 -s 1471 s19
ping: socket: Address family not supported by protocol
PING s19.smythies.com (192.168.111.136) 1471(1499) bytes of data.
1479 bytes from s19.smythies.com (192.168.111.136): icmp_seq=1 ttl=64 time=0.545 ms
1479 bytes from s19.smythies.com (192.168.111.136): icmp_seq=2 ttl=64 time=0.575 ms
--- s19.smythies.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1028ms
rtt min/avg/max/mdev = 0.545/0.560/0.575/0.015 ms
doug@s15:~/diag/tcpdump/captures/035$ ping -c 2 -s 1472 s19
ping: socket: Address family not supported by protocol
PING s19.smythies.com (192.168.111.136) 1472(1500) bytes of data.
--- s19.smythies.com ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1014ms
doug@s15:~/diag/tcpdump/captures/035$ ping -c 2 -s 1471 s19
ping: socket: Address family not supported by protocol
PING s19.smythies.com (192.168.111.136) 1471(1499) bytes of data.
--- s19.smythies.com ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1028ms
doug@s15:~/diag/tcpdump/captures/035$ sleep 30
doug@s15:~/diag/tcpdump/captures/035$ ping -c 2 -s 1471 s19
ping: socket: Address family not supported by protocol
PING s19.smythies.com (192.168.111.136) 1471(1499) bytes of data.
1479 bytes from s19.smythies.com (192.168.111.136): icmp_seq=1 ttl=64 time=0.573 ms
1479 bytes from s19.smythies.com (192.168.111.136): icmp_seq=2 ttl=64 time=0.529 ms
--- s19.smythies.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.529/0.551/0.573/0.022 ms