5 # Firewall configuration to prevent basic tcp DoS/DDoS attacks
7 # Authors: Vlad Glagolev <enqlave@gmail.com>, Stepan Rogov <rogov_sa@mail.ru>
10 @def &ANTIDDOS($ports, $seconds, $hits, $time, $exceptions) = {
11 proto tcp dport $ports @subchain "ddos_check" {
12 # allow every exception as-is
13 saddr $exceptions ACCEPT;
16 mod conntrack ctstate (ESTABLISHED RELATED) ACCEPT;
18 # check for IPs overloading $hits/$seconds rate and block them
19 mod recent name "ddos_check" rcheck seconds $seconds hitcount $hits @subchain "ddos" {
20 mod recent set name "ddos" NOP;
25 # register a packet in "ddos_check" list
26 mod recent set name "ddos_check" NOP;
28 # check IP in "ddos" list
29 # if it exists and had been registered in the last $time seconds -- drop it
30 mod recent name "ddos" rcheck seconds $time DROP;
32 # remove packet from "ddos" list
33 mod recent name "ddos" remove NOP;
35 # allow ONLY new connections
36 mod conntrack ctstate NEW ACCEPT;
47 mod state state INVALID REJECT;
48 mod state state (ESTABLISHED RELATED) ACCEPT;
50 # allow local connections
53 # ban ip addresses for 1 day which connect more than 50 times in 3 seconds,
54 # exception is IP: 94.29.90.101
55 &ANTIDDOS((80, 443), 50, 3, 86400, 94.29.90.101);
57 # the rest is dropped by the above policy
60 # outgoing connections are not limited
61 chain OUTPUT policy ACCEPT;
63 # this is not a router
64 chain FORWARD policy DROP;