Linux Firewall (iptables) commands for DDoS attacks

You may need to check your logs and block some IPs manually on a regular basis.

Always use ipsets for efficient filtering, especially when dealing with larger numbers of entries.

sudo ipset create gvset1 hash:ip
sudo ipset create gvset2 hash:net
sudo iptables -A INPUT -m set --match-set gvset1 src -j DROP
sudo iptables -A INPUT -m set --match-set gvset2 src -j DROP

For example, any IP that has more than 10 access denied or page not found errors in the last 24 hours and are not Google or MSN IPs.

Ensure that the hosts do not resolve to Google search, MSN search or the Amazon crawler. It's usually ok to resolve to Amazon AWS.

Use at your own risk. This method may block some legitimate ISPs.

Also block the SSH port (22) on your server hosting provider firewall, if possible.

Important: Make sure your own IP is not in a range before running the commands.

Also ensure that any IPs within the googlebot IP range below, are removed.
sudo iptables -D INPUT -s 66.249.0.0/16 -j DROP
sudo iptables -D INPUT -s 209.85.238.0/24 -j DROP

And that any IPs within the MSN search IP range are removed as well.
sudo iptables -D INPUT -s 207.46.0.0/16 -j DROP
sudo iptables -D INPUT -s 52.167.0.0/16 -j DROP
sudo iptables -D INPUT -s 40.77.0.0/16 -j DROP

 

Comments