Linux DDOS Defense with iptables
Previous Linux DDOS Defense post:
- Linux DDOS Defense with .htaccess
Linux has a great multipurpose tool called iptables. Blocking IPs in iptables blocks the IP from using any of the server resources not just the web server. This is effective against broad range attacks target multiple ports (FTP, telnet, http, etc.). Unfortuneately, many server admins and webmasters are afraid to use iptables and, therefore, do not have experience with it. If you edit the iptables file directly it is very easy to cause some major down time, especially if you host your server your server off site. For instance, a syntax error in iptables can block your access to SSH, FTP, HTTP and everything else.
However, the work around is to never edit iptables directly. Simply enter iptables commands from the Linux command line. If you get the syntax wrong the command line interface will simply reject the command. Here are some examples of proper usage:
To block a range of IPs in a network use (example bad guy IPs shown):
iptables -I INPUT -m iprange --src-range 120.60.0.0-120.60.255.255 -j DROP
To block a single IP address use:
iptables -A INPUT -s 120.60.43.201 -j DROP
To display the current iptables file without editing it use:
iptables -L
When you mean “never edit iptables directly”, what do you mean? Isn’t the iptables command line tool the direct way of editing your netfilter rules? And the iptables command that I know has always been quite happy to let me do ‘iptables -I INPUT -p tcp –dport 22 -j DROP’ (which would drop my ssh connection to the computer), allowing me plenty of rope to hang myself with.