Warning: preg_match(): Unknown modifier '-' in /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php on line 783

Warning: preg_match(): Unknown modifier '-' in /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php on line 783

Warning: preg_match(): Unknown modifier '-' in /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php on line 783

Warning: preg_match(): Unknown modifier '-' in /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php on line 783

Warning: preg_match(): Unknown modifier '-' in /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php on line 783

Warning: preg_match(): Unknown modifier '-' in /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php on line 783

Warning: preg_match(): Unknown modifier '-' in /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php on line 783

Warning: preg_match(): Unknown modifier '-' in /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php on line 783

Warning: Cannot modify header information - headers already sent by (output started at /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php:783) in /home/akl1986/public_html/support/wp-includes/rest-api/class-wp-rest-server.php on line 1794

Warning: Cannot modify header information - headers already sent by (output started at /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php:783) in /home/akl1986/public_html/support/wp-includes/rest-api/class-wp-rest-server.php on line 1794

Warning: Cannot modify header information - headers already sent by (output started at /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php:783) in /home/akl1986/public_html/support/wp-includes/rest-api/class-wp-rest-server.php on line 1794

Warning: Cannot modify header information - headers already sent by (output started at /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php:783) in /home/akl1986/public_html/support/wp-includes/rest-api/class-wp-rest-server.php on line 1794

Warning: Cannot modify header information - headers already sent by (output started at /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php:783) in /home/akl1986/public_html/support/wp-includes/rest-api/class-wp-rest-server.php on line 1794

Warning: Cannot modify header information - headers already sent by (output started at /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php:783) in /home/akl1986/public_html/support/wp-includes/rest-api/class-wp-rest-server.php on line 1794

Warning: Cannot modify header information - headers already sent by (output started at /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php:783) in /home/akl1986/public_html/support/wp-includes/rest-api/class-wp-rest-server.php on line 1794

Warning: Cannot modify header information - headers already sent by (output started at /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php:783) in /home/akl1986/public_html/support/wp-includes/rest-api/class-wp-rest-server.php on line 1794
{"id":2380,"date":"2019-11-26T08:47:18","date_gmt":"2019-11-26T08:47:18","guid":{"rendered":"https:\/\/support.aklwebhost.com\/?post_type=manual_kb&p=2380"},"modified":"2019-11-26T08:47:18","modified_gmt":"2019-11-26T08:47:18","slug":"iptables-configuration-for-ddos-protection","status":"publish","type":"manual_kb","link":"https:\/\/support.aklwebhost.com\/knowledgebase\/iptables-configuration-for-ddos-protection\/","title":{"rendered":"IPTables Configuration for DDoS Protection"},"content":{"rendered":"

The following\u00a0IPTables configuration<\/strong>\u00a0will assist with traffic that the\u00a0DDoS filters<\/strong>\u00a0cannot fully mitigate.<\/p>\n

Note: These are a generic ruleset and should be expanded further to suit your specific application.<\/strong><\/p>\n

### IP Tables DDOS Protection Rules ###
\n<\/strong>
\n### 1: Drop invalid packets ###
\n<\/strong><\/p>\n

\/sbin\/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP<\/code><\/pre>\n
### 2: Drop TCP packets that are new and are not SYN ###<\/strong><\/p>\n
\/sbin\/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP<\/code><\/pre>\n
 <\/p>\n
### 3: Drop SYN packets with suspicious MSS value ###<\/strong><\/p>\n
\/sbin\/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP<\/code><\/pre>\n
 <\/p>\n
### 4: Block packets with bogus TCP flags ###
\n<\/strong><\/p>\n
\/sbin\/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP\r\n\/sbin\/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP\r\n\/sbin\/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP\r\n\/sbin\/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP\r\n\/sbin\/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP\r\n\/sbin\/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP\r\n\/sbin\/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP\r\n\/sbin\/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP\r\n\/sbin\/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP\r\n\/sbin\/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP\r\n\/sbin\/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP\r\n\/sbin\/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP\r\n\/sbin\/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP\r\n\/sbin\/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP<\/code><\/pre>\n
 <\/p>\n
### 5: Block spoofed packets ###<\/strong><\/p>\n
\/sbin\/iptables -t mangle -A PREROUTING -s 224.0.0.0\/3 -j DROP\r\n\/sbin\/iptables -t mangle -A PREROUTING -s 169.254.0.0\/16 -j DROP\r\n\/sbin\/iptables -t mangle -A PREROUTING -s 172.16.0.0\/12 -j DROP\r\n\/sbin\/iptables -t mangle -A PREROUTING -s 192.0.2.0\/24 -j DROP\r\n\/sbin\/iptables -t mangle -A PREROUTING -s 192.168.0.0\/16 -j DROP\r\n\/sbin\/iptables -t mangle -A PREROUTING -s 10.0.0.0\/8 -j DROP\r\n\/sbin\/iptables -t mangle -A PREROUTING -s 0.0.0.0\/8 -j DROP\r\n\/sbin\/iptables -t mangle -A PREROUTING -s 240.0.0.0\/5 -j DROP\r\n\/sbin\/iptables -t mangle -A PREROUTING -s 127.0.0.0\/8 ! -i lo -j DROP<\/code><\/pre>\n
 <\/p>\n
### 6: Drop ICMP\/Ping (you usually don’t need this protocol) ###<\/strong><\/p>\n
\/sbin\/iptables -t mangle -A PREROUTING -p icmp -j DROP<\/code><\/pre>\n
 <\/p>\n
### 7: Drop fragments in all chains ###<\/strong><\/p>\n
\/sbin\/iptables -t mangle -A PREROUTING -f -j DROP<\/code><\/pre>\n
 <\/p>\n
### 8: Limit connections per source IP ###<\/strong><\/p>\n
\/sbin\/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset<\/code><\/pre>\n
 <\/p>\n
### 9: Limit RST packets ###<\/strong><\/p>\n
\/sbin\/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2\/s --limit-burst 2 -j ACCEPT\r\n\/sbin\/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP<\/code><\/pre>\n
 <\/p>\n
### 10: Limit new TCP connections per second per source IP ###<\/strong><\/p>\n
\/sbin\/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60\/s --limit-burst 20 -j ACCEPT\r\n\/sbin\/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP<\/code><\/pre>\n
 <\/p>\n
### 11: Use SYNPROXY on all ports (disables connection limiting rule) ###<\/strong><\/p>\n
#\/sbin\/iptables -t raw -D PREROUTING -p tcp -m tcp --syn -j CT --notrack\r\n#\/sbin\/iptables -D INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460\r\n#\/sbin\/iptables -D INPUT -m conntrack --ctstate INVALID -j DROP<\/code><\/pre>\n
 <\/p>\n
### SSH brute-force protection ###<\/strong><\/p>\n
\/sbin\/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set\r\n\/sbin\/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP<\/code><\/pre>\n
 <\/p>\n
### Protection against port scanning ###<\/strong><\/p>\n
\/sbin\/iptables -N port-scanning\r\n\/sbin\/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1\/s --limit-burst 2 -j RETURN\r\n\/sbin\/iptables -A port-scanning -j DROP<\/code><\/pre>\n
 <\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","format":"standard","manualknowledgebasecat":[232],"manual_kb_tag":[267],"_links":{"self":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2380"}],"collection":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb"}],"about":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/types\/manual_kb"}],"author":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/comments?post=2380"}],"version-history":[{"count":1,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2380\/revisions"}],"predecessor-version":[{"id":2381,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2380\/revisions\/2381"}],"wp:attachment":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/media?parent=2380"}],"wp:term":[{"taxonomy":"manualknowledgebasecat","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manualknowledgebasecat?post=2380"},{"taxonomy":"manual_kb_tag","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb_tag?post=2380"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}