Quote:
Originally Posted by fragnichtnach
That's really helpful! Thank you for sharing!
I've got a few questions:
Why are you using -recent? The size is only 100 and it's linear search. On a real DDoS attack this isn't helpful at all I believe.
Are we able to increase the size of the tables behind hashlimit. It didn't found the way with google.
Code:
/proc/sys/net/netfilter/nf_conntrack_hashsize
isn't available in my system. |
The -recent module "remembers" this:
-A Filter-DROP -p udp -m udp -m recent--set --name vse -j DROP
So if the "--name vse" matches(this have to be on the top of your iptables):
-A INPUT -p udp -m udp -m recent --dport SERVERPORT --update --seconds 30 --hitcount 5 --name vse --mask 255.255.255.255 --rsource -j DROP
It will drop the connection for 30 seconds over and over so the attack doesnt hit your serverport. But if you're experiencing a real DDoS attack i think it could handle some of it but it depends on PPS. Contact me over Discord: p!mp#8718 then i can try help hardening your iptables even more.