iptables -A INPUT -i lo -j ACCEPT
iptables -t filter -A INPUT -i eth0 -p tcp -s 0/0 --dport 3306 -m connlimit --connlimit-above 35 -j REJECT
iptables -A INPUT -s 91.121.90.167 -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -s 94.23.240.37 -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -s 94.23.228.85 -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -p tcp --dport 3306 -j ACCEPT
#iptables -A INPUT -s 0/0 -p tcp --dport 3306 -j DROP
iptables -A INPUT -s 0/0 -p tcp --dport 3306 -j LOG
# www
iptables -t filter -A INPUT -i eth0 -p tcp -s 0/0 --dport 80 -m connlimit --connlimit-above 40 -j REJECT
iptables -N syn_flood
iptables -A INPUT -s 91.121.90.167 -j ACCEPT
#iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 20123 --syn -m iplimit --iplimit-above 2 -j DROP
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 150/s --limit-burst 300 -j LOG --log-prefix SYNFLOOD:
iptables -A syn_flood -m limit --limit 300/s --limit-burst 700 -j RETURN
iptables -A syn_flood -j DROP
#Limiting the incoming icmp ping request:
iptables -A INPUT -p icmp -m limit --limit 10/s --limit-burst 20 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 10/s --limit-burst 20 -j LOG --log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP
wycięcie 1 ip:
iptables -I INPUT -s 91.121.90.1 -j DROP
zapisanie regułek:
iptables-save > /etc/iptables.conf
wrzucenie regułek na starcie systemu (w /etc/network/interfaces)
auto eth0
iface eth0 inet static
address 1.1.1.1
netmask 255.255.255.0
network 2.2.2.2
broadcast 1.1.1.255
gateway 1.1.1.254
pre-up iptables-restore < /etc/iptables.conf
[[https://help.ubuntu.com/community/IptablesHowTo]]
[[http://otland.net/blogs/don+daniello/linux-anti-ddos-iptables-rules-841/]]