| blob | ab08e13cb3671a8d75e3938cba95ca7a0f8a3be9 |
1 # -*- shell-script -*-
2 #
3 # Ferm example script
4 #
5 # Firewall configuration to prevent basic tcp DoS/DDoS attacks
6 #
7 # Authors: Vlad Glagolev <enqlave@gmail.com>, Stepan Rogov <rogov_sa@mail.ru>
8 #
10 @def &ANTIDDOS($ports, $seconds, $hits, $time, $exceptions) = {
11 proto tcp dport $ports @subchain "ddos_check" {
12 # allow every exception as-is
13 saddr $exceptions ACCEPT;
15 # connection tracking
16 mod conntrack ctstate (ESTABLISHED RELATED) ACCEPT;
18 # check for IPs overloading $hits/$seconds rate and block them
19 mod recent name "ddos_check" rcheck seconds $seconds hitcount $hits @subchain "ddos" {
20 mod recent set name "ddos" NOP;
22 DROP;
23 }
25 # register a packet in "ddos_check" list
26 mod recent set name "ddos_check" NOP;
28 # check IP in "ddos" list
29 # if it exists and had been registered in the last $time seconds -- drop it
30 mod recent name "ddos" rcheck seconds $time DROP;
32 # remove packet from "ddos" list
33 mod recent name "ddos" remove NOP;
35 # allow ONLY new connections
36 mod conntrack ctstate NEW ACCEPT;
38 DROP;
39 }
40 }
42 table filter {
43 chain INPUT {
44 policy DROP;
46 # connection tracking
47 mod state state INVALID REJECT;
48 mod state state (ESTABLISHED RELATED) ACCEPT;
50 # allow local connections
51 interface lo ACCEPT;
53 # ban ip addresses for 1 day which connect more than 50 times in 3 seconds,
54 # exception is IP: 94.29.90.101
55 &ANTIDDOS((80, 443), 50, 3, 86400, 94.29.90.101);
57 # the rest is dropped by the above policy
58 }
60 # outgoing connections are not limited
61 chain OUTPUT policy ACCEPT;
63 # this is not a router
64 chain FORWARD policy DROP;
65 }