答案说我应该像这样设置规则:
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
然后开始添加其余部分,如下所示:
# Dynamic Badguy List. Detect and DROP Bad IPs that try to access port 20000.
# Once they are on the BADGUY list then DROP all packets from them.
iptables -A INPUT -i eth0 -m recent --update --hitcount 5 --seconds 90000 --name BADGUY -j LOG --log-prefix "Port 20000 BAD:" --log-level info
iptables -A INPUT -i eth0 -m recent --update --hitcount 5 --seconds 90000 --name BADGUY -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 20000 -m recent --set --name BADGUY -j ACCEPT
我确实这样做了,但有些 IP 仍然可以每个 IP 打开 100 多个连接,那么限制 IP 连接的正确方法是什么?
其中我们特别感兴趣的是:
tcp 0 75981 45.233.22.66:22 77.101.61.108:49746 ESTABLISHED
tcp 0 77442 45.233.22.66:22 77.101.61.108:49866 ESTABLISHED
tcp 0 106643 45.233.22.66:22 77.101.61.108:49662 ESTABLISHED
tcp 0 75826 45.233.22.66:22 77.101.61.108:49727 ESTABLISHED
tcp 97 0 45.233.22.66:22 77.101.61.108:50448 CLOSE_WAIT
tcp 0 105924 45.233.22.66:22 77.101.61.108:49798 ESTABLISHED
tcp 0 77441 45.233.22.66:22 77.101.61.108:49852 ESTABLISHED
tcp 0 77442 45.233.22.66:22 77.101.61.108:49813 ESTABLISHED
tcp 0 75223 45.233.22.66:22 77.101.61.108:49655 ESTABLISHED
和
tcp 0 73838 45.233.22.66:22 212.252.97.90:24457 ESTABLISHED
tcp 0 73502 45.233.22.66:22 212.252.97.90:24101 ESTABLISHED
tcp 0 74848 45.233.22.66:22 212.252.97.90:24397 ESTABLISHED
tcp 0 70703 45.233.22.66:22 212.252.97.90:24315 ESTABLISHED
tcp 0 70620 45.233.22.66:22 212.252.97.90:24292 ESTABLISHED
tcp 0 73501 45.233.22.66:22 212.252.97.90:24362 ESTABLISHED
tcp 0 73500 45.233.22.66:22 212.252.97.90:24122 ESTABLISHED
这似乎比命中计数规则所允许的连接数要多。
这是 iptable vxnl
Chain INPUT (policy ACCEPT 35537 packets, 4077701 bytes)
pkts bytes target prot opt in out source destination
1939108 97521172 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x17/0x02 #conn src/32 > 2 reject-with tcp-reset
1112785 217196313 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
69985 3510824 LOG all -- eth0 * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 90000 hit_count: 5 name: BADGUY side: source mask: 255.255.255.255 LOG flags 0 level 6 prefix "Port 22 BAD:"
69985 3510824 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 90000 hit_count: 5 name: BADGUY side: source mask: 255.255.255.255
217171 11052690 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 recent: SET name: BADGUY side: source mask: 255.255.255.255
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3258297 packets, 496362303 bytes)
pkts bytes target prot opt in out source destination
答案1
针对您的恶性 DDOS 攻击,建议使用以下脚本来制定 iptables 规则集解决方案:
#!/bin/sh
FWVER=0.01
#
# Vlark.Lopin rule set. Smythies 2016.09.18 Ver:0.01
# Attempt to manage severe DDOS attack.
# Port 20000 should only ever have 2 open
# connections at a time. If more, ban them.
#
# If too many SSH attempts, ban them.
# DROP all other unsolicited input.
# If ssh port has been moved, adjust rules
# accordingly.
#
# Requires a larger (1000) than default (100)
# xt_recent table size.
#
# See also:
# http://askubuntu.com/questions/818524/correctly-limit-ip-connections
# http://askubuntu.com/questions/808297/i-have-massive-attack-on-port-in-my-server
# http://askubuntu.com/questions/817478/ip-tables-limit-connetion-per-ip-address-can-be-bypassed
#
# run as sudo
#
echo "Loading Vlark.Lopin rule set version $FWVER..\n"
# The location of the iptables program
#
IPTABLES=/sbin/iptables
#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
# Vlark.Lopin
EXTIF="eth0"
# Doug
#EXTIF="enp9s0"
UNIVERSE="0.0.0.0/0"
#Clearing any previous configuration
#
echo " Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
# Otherwise, I can not seem to delete it later on
$IPTABLES -F add-to-connlimit-list
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
# We want to force load the xt_recent module, so that we override the
# default maximum table size. We want 1000 whereas the default is 100.
# Note: It is unlikely that is needs to be 1000 forever. Once the
# bad guys give up, the attempts will become much less frequent, and
# the table size can probably be reduced to default.
# i.e. this force load segment can be commented out, and then it will
# autoload as required.
#
modprobe xt_recent ip_list_tot=1000
#######################################################################
# USER DEFINED CHAIN SUBROUTINES:
#
# add-to-connlimit-list
# To many connections from an IP address has been detected.
# Add the IP address to the bad guy list, and DROP the packet.
# If desired, comment out the log rule.
$IPTABLES -N add-to-connlimit-list
#$IPTABLES -A add-to-connlimit-list -m recent --update --hitcount 1 --seconds 90000 --name BADGUY_CONN
$IPTABLES -A add-to-connlimit-list -m recent --set --name BADGUY_CONN
$IPTABLES -A add-to-connlimit-list -j LOG --log-prefix "CONNLIMIT_ADD:" --log-level info
$IPTABLES -A add-to-connlimit-list -j DROP
#######################################################################
# INPUT: Incoming traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# A NEW TCP connection requires SYN bit set and FIN,RST,ACK reset.
# More importantly, this check might prevent lingering packets from
# a forgotten legitimite connection from getting a valid user on the
# bad guy list
#
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "NEW TCP no SYN:" --log-level info
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT
# Not sure if this one is needed or not
#
$IPTABLES -A INPUT -i $EXTIF -p tcp -m state --state INVALID -j LOG --log-prefix "IINVALID:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -p tcp -m state --state INVALID -j DROP
# Allow any related traffic coming back to the server in.
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -m state --state ESTABLISHED,RELATED -j ACCEPT
# external interface, from any source, for any remaining ICMP traffic is valid
# Note: consider to not allow, as this is often how bad guys find you
#
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -j ACCEPT
# Secure Shell on port 22 (Change to whatever port you moved SSH to).
#
# Sometimes I uncomment the next line to simply disable external SSH access.
# Particulalry useful when I am rebooting often, thereby losing my current BADGUY table.
#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE --dport 22 -j DROP
# Dynamic Badguy List. Detect and DROP Bad IPs that do password attacks on SSH.
# Once they are on the BADGUY list then DROP all packets from them.
# Sometimes make the lock time very long. Typically to try to get rid of coordinated attacks from China.
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 5 --seconds 90000 --name BADGUY_SSH -j LOG --log-prefix "SSH BAD:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 5 --seconds 90000 --name BADGUY_SSH -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 -m recent --set --name BADGUY_SSH -j ACCEPT
# Port 20000. Limit to 2 connections per IP address.
# Otherwise ban them.
# Note: The logging is useful for debugging, but might overwhelm the log files. Comment out the logging rule as required.
#
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 1 --seconds 90000 --name BADGUY_CONN -j LOG --log-prefix "CONNLIMIT:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 1 --seconds 90000 --name BADGUY_CONN -j DROP
$IPTABLES -A INPUT -p tcp --dport 20000 -m connlimit --connlimit-above 2 -j add-to-connlimit-list
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 20000 -j ACCEPT
# port 4 is needed. (Consider doing it the same as the SSH port).
# If UDP is needed, then add it.
#
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 4 -j ACCEPT
# O.K. at this point, we will DROP the packet, however some will be dropped without logging just to make the log file
# less cluttered.
#
$IPTABLES -A INPUT -i $EXTIF -p udp --dport 33434 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 23 -j DROP
# If your log file is too cluttered, consdier to comment out this log rule.
# It is useful for debugging, but might overwhlem your log files.
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j LOG --log-prefix "ICATCH:" --log-level info
# With a default policy of DROP, the following rule isn't actually neeeded.
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j DROP
echo Vlark.Lopin rule set version $FWVER done.
调试完此脚本后,如果您想在启动时自动加载它,请在文件中添加一个预先指令/etc/network/intefaces
。以下是我的文件作为示例:
# interfaces file for smythies.com 2016.01.30
# attempt to set local DNS herein, as the method
# used with the old 12.04 server no longer works.
#
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
pre-up /home/doug/init/doug_firewall
dns-nameservers 127.0.0.1
# The primary interface (d-link PCI card)
auto enp4s0
iface enp4s0 inet dhcp
# Local network interface (uses built in ethernet port)
auto enp2s0
iface enp2s0 inet static
address 192.168.111.1
network 192.168.111.0
netmask 255.255.255.0
broadcast 192.168.111.255
我的脚本文件的权限是:
$ ls -l /home/doug/init/doug_firewall
-rwxr-xr-x 1 doug doug 61703 Aug 27 15:55 /home/doug/init/doug_firewall
或 755。