spithash / iptables-kernel-ddos-protection

Iptables & Kernel (sysctl) ddos protection rules

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

System Configuration and Security Settings

This repository contains configuration settings for enhancing system security and performance through sysctl and iptables rules. The provided settings are intended to be used in a Linux environment.

Kernel Configuration (/etc/sysctl.conf)

Set kernel printk levels for console messages

kernel.printk = 4 4 1 7 

Set the kernel panic timeout in seconds

kernel.panic = 10 

Set the sysrq key functionality (0 = disabled)

kernel.sysrq = 0 

Set the maximum size of a shared memory segment

kernel.shmmax = 4294967296 

Set the total amount of shared memory pages system-wide

kernel.shmall = 4194304 

Use process ID as the core dump filename

kernel.core_uses_pid = 1 

Set the maximum number of message bytes in a message queue

kernel.msgmnb = 65536 

Set the maximum size of a message in a message queue

kernel.msgmax = 65536 

Set the swappiness value for virtual memory management

vm.swappiness = 20 

Set the dirty ratio threshold for background writeback

vm.dirty_ratio = 80 

Set the dirty ratio threshold for triggering background writeback

vm.dirty_background_ratio = 5 

Set the maximum number of file handles the system can allocate

fs.file-max = 2097152 

Set the maximum number of packets in the network device backlog

net.core.netdev_max_backlog = 262144 

Set the default receive socket buffer size

net.core.rmem_default = 31457280 

Set the maximum receive socket buffer size

net.core.rmem_max = 67108864 

Set the default send socket buffer size

net.core.wmem_default = 31457280 

Set the maximum send socket buffer size

net.core.wmem_max = 67108864 

Set the maximum number of pending connections in the listen queue

net.core.somaxconn = 65535 

Set the maximum amount of option memory allowed per socket

net.core.optmem_max = 25165824 

Set thresholds for neighbor entry garbage collection

net.ipv4.neigh.default.gc_thresh1 = 4096 
net.ipv4.neigh.default.gc_thresh2 = 8192 
net.ipv4.neigh.default.gc_thresh3 = 16384 

Set the interval for neighbor entry garbage collection (in seconds)

net.ipv4.neigh.default.gc_interval = 5 

Set the time to consider a neighbor entry stale (in seconds)

net.ipv4.neigh.default.gc_stale_time = 120 

Set the maximum number of entries in the connection tracking table

net.netfilter.nf_conntrack_max = 10000000 

Disable TCP loose mode in connection tracking

net.netfilter.nf_conntrack_tcp_loose = 0 

Set TCP timeout values for established, close, close_wait, fin_wait connections

net.netfilter.nf_conntrack_tcp_timeout_established = 1800 
net.netfilter.nf_conntrack_tcp_timeout_close = 10 
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 10 
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 20 
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 20 
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 20 
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 20 
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10 

Disable slow start after idle for TCP

net.ipv4.tcp_slow_start_after_idle = 0 

Set the local port range for ephemeral ports

net.ipv4.ip_local_port_range = 1024 65000 

Enable or disable PMTU discovery (1 = disabled)

net.ipv4.ip_no_pmtu_disc = 1 

Flush routing tables on interface add/removal

net.ipv4.route.flush = 1 

Set the maximum size of the IPv4 routing table

net.ipv4.route.max_size = 8048576 

Ignore broadcast ICMP echo requests

net.ipv4.icmp_echo_ignore_broadcasts = 1 

Ignore bogus ICMP error responses

net.ipv4.icmp_ignore_bogus_error_responses = 1 

Set the TCP congestion control algorithm to htcp

net.ipv4.tcp_congestion_control = htcp 

Set memory thresholds for TCP and UDP

net.ipv4.tcp_mem = 65536 131072 262144 
net.ipv4.udp_mem = 65536 131072 262144 

Set receive buffer sizes for TCP and UDP

net.ipv4.tcp_rmem = 4096 87380 33554432 
net.ipv4.udp_rmem_min = 16384 

Set send buffer sizes for TCP and UDP

net.ipv4.tcp_wmem = 4096 87380 33554432 
net.ipv4.udp_wmem_min = 16384 

Set the maximum number of TIME-WAIT sockets in the system

net.ipv4.tcp_max_tw_buckets = 1440000 

Disable TCP tw_recycle and enable TCP tw_reuse

net.ipv4.tcp_tw_recycle = 0 
net.ipv4.tcp_tw_reuse = 1 

Set the maximum number of orphaned sockets

net.ipv4.tcp_max_orphans = 400000 

Enable TCP window scaling

net.ipv4.tcp_window_scaling = 1 

Enable TCP RFC 1337 protection

net.ipv4.tcp_rfc1337 = 1 

Enable TCP SYN cookies

net.ipv4.tcp_syncookies = 1 

Set the number of retries for SYN-ACK before giving up

net.ipv4.tcp_synack_retries = 1 

Set the number of retries for SYN before giving up

net.ipv4.tcp_syn_retries = 2 

Set the maximum number of pending SYN requests in the backlog

net.ipv4.tcp_max_syn_backlog = 16384 

Enable TCP timestamps

net.ipv4.tcp_timestamps = 1 

Enable TCP selective acknowledgment

net.ipv4.tcp_sack = 1 

Enable TCP Forward Acknowledgment

net.ipv4.tcp_fack = 1 

Set TCP ECN (Explicit Congestion Notification) mode (2 = enabled)

net.ipv4.tcp_ecn = 2 

Set the timeout for TCP FIN-WAIT-2 state

net.ipv4.tcp_fin_timeout = 10 

Set the idle time before sending a TCP keepalive probe

net.ipv4.tcp_keepalive_time = 600 

Set the interval between TCP keepalive probes

net.ipv4.tcp_keepalive_intvl = 60 

Set the number of TCP keepalive probes before considering the connection dead

net.ipv4.tcp_keepalive_probes = 10 

Disable saving metrics for TCP connections

net.ipv4.tcp_no_metrics_save = 1

Enable or disable IP forwarding (0 = disabled)

Note: If using Docker, you may need to enable IP forwarding to avoid warnings during container creation

net.ipv4.ip_forward = 0 

Disable ICMP redirect acceptance

net.ipv4.conf.all.accept_redirects = 0 

Disable sending ICMP redirects

net.ipv4.conf.all.send_redirects = 0 

Disable source routing

net.ipv4.conf.all.accept_source_route = 0 

Enable reverse path filtering

net.ipv4.conf.all.rp_filter = 1

iptables Settings

1: Drop invalid packets

Drop incoming packets with INVALID connection tracking state

iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP

2: Drop TCP packets that are new and are not SYN

Drop incoming non-SYN TCP packets in NEW connection state

iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

3: Drop SYN packets with suspicious MSS value

Drop incoming TCP packets in NEW connection state with TCPMSS values outside the specified range

iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP

4: Block packets with bogus TCP flags

Drop incoming TCP packets with specific TCP flags combinations

iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP

5: Block spoofed packets

Drop incoming packets from specific address ranges. You might want to adjust these if you're running Docker containers or you are actually using the below ip ranges.

iptables -t mangle -A PREROUTING -s -j DROP
iptables -t mangle -A PREROUTING -s -j DROP
iptables -t mangle -A PREROUTING -s -j DROP
iptables -t mangle -A PREROUTING -s -j DROP
iptables -t mangle -A PREROUTING -s -j DROP
iptables -t mangle -A PREROUTING -s -j DROP
iptables -t mangle -A PREROUTING -s -j DROP
iptables -t mangle -A PREROUTING -s -j DROP
iptables -t mangle -A PREROUTING -s ! -i lo -j DROP

6: Drop ICMP (you usually don't need this protocol)

Drop incoming ICMP packets

iptables -t mangle -A PREROUTING -p icmp -j DROP

7: Limit connections per source IP (80 in our case, you can adjust that value to your needs)

Reject incoming TCP connections if the number of connections exceeds the limit

iptables -A INPUT -p tcp -m connlimit --connlimit-above 80 -j REJECT --reject-with tcp-reset

8: Drop fragments in all chains

Drop incoming fragmented packets

iptables -t mangle -A PREROUTING -f -j DROP


Iptables & Kernel (sysctl) ddos protection rules

License:GNU General Public License v3.0


Language:Shell 100.0%