I'm needingto install and configureIPTABLESto protect againstDDOS attacks.
ButI know nothingabout theIPTABLES, so I needhelp.
To installI dothe following:
yum install iptables
Am I right?
Once installed, to checkif it is correct,I dothe following:
iptables
yum info iptables
I'm stillright?
Ifinstalledcorrectly, i can createa "iptables-policy" fileto configureIPTABLES,right?
So i copieda filethat i foundin a threadhere in therAthena.
ButI do not knowif it is correct,to work withthe emulator,mysql,phpmyamdin,ssh,ftpandremote connection tothe database(because my websiteis hosted ona serverdifferent than theemulator,and the websiteconnectsremotelytothe emulator database)
The configuration fileisas follows:
#!/bin/sh
IPT=/sbin/iptables
$IPT -F INPUT $IPT -f OUTPUT $IPT -F FORWARD
$IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT
$IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP echo "1" > /proc/sys/net/ipv4/ip_forward
IPCLIENT=`echo $SSH_CLIENT | sed 's/\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\).*/\1/'` $IPT -A INPUT -s ${IPCLIENT} -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -d ${IPCLIENT} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# we add some SYN flood protection $IPT -A INPUT -p tcp --syn -m limit --limit 5/s -j ACCEPT $IPT -A INPUT -p udp -m limit --limit 10/s -j ACCEPT $IPT -A INPUT -p tcp --syn -j DROP $IPT -A INPUT -p udp -j DROP
# we add some ping flood protection $IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 4/s -j ACCEPT $IPT -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 4/s -j ACCEPT $IPT -A INPUT -p icmp --icmp-type echo-request -j DROP $IPT -A INPUT -p icmp --icmp-type echo-reply -j DROP
# Allow incoming TCP port 22 (ssh) traffic $IPT -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
# DNS (client) $IPT -A OUTPUT -p tcp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT $IPT -A INPUT -p tcp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT $IPT -A INPUT -p udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Web server (http, https) $IPT -A INPUT -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A INPUT -p tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Web Client $IPT -A INPUT -p tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# FTP Server $IPT -A INPUT -p tcp --dport 20 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A INPUT -p tcp --dport 21 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --sport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
# FTP Client $IPT -A INPUT -p tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --dport 20 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT $IPT -A INPUT -p tcp --sport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# Portas Passivas do FTP $IPT -A INPUT -p tcp --dport 1024:65535 --sport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --dport 1024:65535 --sport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
# auth $IPT -A INPUT -p tcp --dport 113 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --sport 113 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow Ragnarok Online for PRT in 5121 6121 6900 do $IPT -A INPUT -p tcp --dport $PRT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --sport $PRT -m state --state RELATED,ESTABLISHED -j ACCEPT done
# Allow MySQL $IPT -A INPUT -p tcp --dport 3306 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --dport 3306 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A INPUT -p tcp --dport 21 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --dport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
After to run this file:
chmod +x iptables-policy
./iptables-policy
Could someonepleasecheckif everything iscorrect forperfect operation? And if mywebsitewill not beblocked byflood?
Please, i really needtoconfigureIPTABLESserver protection. Anyhelp will be greatlyappreciated.
Question
CaioVictor
Hi rAthena ^^'
First excuse my English.
I'm needing to install and configure IPTABLES to protect against DDOS attacks.
But I know nothing about the IPTABLES, so I need help.
To install I do the following:
Am I right?
Once installed, to check if it is correct, I do the following:
I'm still right?
If installed correctly, i can create a "iptables-policy" file to configure IPTABLES, right?
So i copied a file that i found in a thread here in the rAthena.
But I do not know if it is correct, to work with the emulator, mysql, phpmyamdin, ssh, ftp and remote connection to the database (because my website is hosted on a server different than the emulator, and the website connects remotely to the emulator database)
The configuration file is as follows:
#!/bin/sh
IPT=/sbin/iptables
$IPT -F INPUT
$IPT -f OUTPUT
$IPT -F FORWARD
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
echo "1" > /proc/sys/net/ipv4/ip_forward
IPCLIENT=`echo $SSH_CLIENT | sed 's/\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\).*/\1/'`
$IPT -A INPUT -s ${IPCLIENT} -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -d ${IPCLIENT} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# we add some SYN flood protection
$IPT -A INPUT -p tcp --syn -m limit --limit 5/s -j ACCEPT
$IPT -A INPUT -p udp -m limit --limit 10/s -j ACCEPT
$IPT -A INPUT -p tcp --syn -j DROP
$IPT -A INPUT -p udp -j DROP
# we add some ping flood protection
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 4/s -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 4/s -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -j DROP
$IPT -A INPUT -p icmp --icmp-type echo-reply -j DROP
# Allow incoming TCP port 22 (ssh) traffic
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
# DNS (client)
$IPT -A OUTPUT -p tcp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Web server (http, https)
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Web Client
$IPT -A INPUT -p tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# FTP Server
$IPT -A INPUT -p tcp --dport 20 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp --dport 21 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
# FTP Client
$IPT -A INPUT -p tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 20 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp --sport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# Portas Passivas do FTP
$IPT -A INPUT -p tcp --dport 1024:65535 --sport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 1024:65535 --sport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
# auth
$IPT -A INPUT -p tcp --dport 113 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 113 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow Ragnarok Online
for PRT in 5121 6121 6900
do
$IPT -A INPUT -p tcp --dport $PRT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport $PRT -m state --state RELATED,ESTABLISHED -j ACCEPT
done
# Allow MySQL
$IPT -A INPUT -p tcp --dport 3306 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 3306 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp --dport 21 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
After to run this file:
And if my website will not be blocked by flood?
Please, i really need to configure IPTABLES server protection.
Any help will be greatly appreciated.
Att,
CaioVictor.
Edited by CaioVictorLink to comment
Share on other sites
13 answers to this question
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.