API tools faq
paste
adri1

Untitled

adri1
Aug 16th, 2017
337
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.84 KB | None | 0 0
raw download clone embed print report
  1. //UDP FLOOD (conexiones falsas)
  2.  
  3. iptables -A INPUT -p udp -m udp --sport 19 -j DROP
  4.  
  5. iptables -A INPUT -p udp -m limit --limit 5/s -j RETURN
  6.  
  7. iptables -A INPUT -p udp -m limit --limit 5/s -j LOG
  8.  
  9. //SYN Y QUERY FLOOD
  10.  
  11. iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j DROP
  12.  
  13. iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 20 -j DROP
  14.  
  15. iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
  16.  
  17. iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 10 --hitcount 20 -j DROP
  18.  
  19. iptables -A INPUT -p tcp --dport 443 -i eth0 -m state --state NEW -m recent --set
  20.  
  21. iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 10 --hitcount 20 -j DROP
  22.  
  23. //iptables -A INPUT -p tcp --syn -m limit --limit 10/s --limit-burst 13 -j DROP***(en lo posible no usar esta)
  24.  
  25. //Para tener los logs de las Ip's y rechazarlas
  26.  
  27. iptables -N flood
  28.  
  29. iptables -A flood -j LOG --log-prefix "FLOOD "
  30.  
  31. iptables -A flood -j DROP
  32.  
  33. //PROTECCION A LA SOBRECARGA DE ANCHO DE BANDA
  34.  
  35. sysctl -w net/ipv4/tcp_syncookies=1
  36.  
  37. sysctl -w net/ipv4/tcp_timestamps=1
  38.  
  39. sysctl -w net/netfilter/nf_conntrack_tcp_loose=0
  40.  
  41. echo 2500000 > /sys/module/nf_conntrack/parameters/hashsize
  42. sysctl -w net/netfilter/nf_conntrack_max=2000000
  43.  
  44. iptables -t raw -I PREROUTING -p tcp -m tcp --syn -j CT --notrack
  45.  
  46. iptables -I INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
  47.  
  48. iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
  49.  
  50. iptables -t raw -I PREROUTING -p tcp -m tcp -d 63.251.20.91 --syn -j CT --notrack
  51. iptables -I INPUT -p tcp -m tcp -d 192.168.0.50 -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
  52. iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
  53.  
  54.  
  55.  
  56. //GENERALIZACION IPTABLES PARA PERFECCIONAR
  57.  
  58. iptables -A INPUT -p ICMP --icmp-type echo-request -m length --length 60:65535 -j ACCEPT
  59.  
  60. iptables -A INPUT -p UDP -f -j DROP
  61.  
  62. iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
  63.  
  64. iptables -A INPUT -p ICMP --icmp-type echo-request -m pkttype --pkttype broadcast -j DROP
  65.  
  66. iptables -A INPUT -p ICMP --icmp-type echo-request -m limit --limit 3/s -j ACCEPT
  67.  
  68. iptables -A INPUT -p UDP --dport 7 -j DROP
  69.  
  70. iptables -A INPUT -p UDP --dport 19 -j DROP
  71.  
  72. iptables -A INPUT -p UDP --dport 135:139 -j DROP
  73.  
  74. iptables -A INPUT -p TCP --dport 135:139 -j DROP
  75.  
  76. iptables -A INPUT -p TCP --syn -m iplimit --iplimit-above 3 -j DROP
  77.  
  78. iptables -A INPUT -p UDP -m pkttype --pkt-type broadcast -j DROP
  79.  
  80. iptables -A INPUT -p UDP -m limit --limit 3/s -j ACCEPT
  81.  
  82. iptables -A INPUT -p ICMP -f -j DROP
  83.  
  84. iptables -A INPUT -p tcp -d IP -m length –length 40:48 -j DROP
  85.  
  86. iptables -A INPUT -p tcp -s 0.0.0.0/0 -d IP -m ttl –ttl 111 -j DROP
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!