Hi all,
We are using Centos7 and we want to protect our system from SYN Flood attack using iptables. (I know there are different options like: setting syn cookies, kernel configurations but we also want to use iptables rules to protect system). After many researchs we found some rules to add our iptables rules. These are:
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
It seems these rules do not work in our system. I know there is rule priority in iptables rules. I even tried to add these rules at the top of my iptables rules. However it does not work.
To see if these rules work, we do a test like this:
We are sending 10 TCP packets per second and they stay for 10 seconds. So we see 100 established connections momentarily.
That's how we checked the connections numbers:
netstat | grep port_number | grep ESTABLISHED | wc -l
After that we adding the rules to the iptables and we checked with above command. However number of connections do not change. So any idea what is wrong with the rules or what is the best way to protect the system from SYN Flood using iptables? Thank you for your help.
Syn flood protection using iptables
Re: Syn flood protection using iptables
https://www.redhat.com/en/blog/mitigate ... nux-7-beta works for me.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 11
- Joined: 2022/03/31 06:37:43
Re: Syn flood protection using iptables
How do you test this? How to understand does it work or not?TrevorH wrote: ↑2023/06/05 11:06:07https://www.redhat.com/en/blog/mitigate ... nux-7-beta works for me.
Re: Syn flood protection using iptables
I'm pretty sure that if you google for tools to launch a syn flood attack you will find something that can do it. We were "lucky" that someone decided to test it for us...
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke