nftables实现简单的DDOS攻击防护的规则
nftables实现简单的DDOS攻击防护的规则
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# Declare the base chain for incoming connections to the Minecraft server
chain input {
type filter hook input priority 0;
# Accept incoming connections from the local network
iifname "eth0" accept
# Reject connections that use reserved or private IP addresses
ip saddr 127.0.0.0/8 counter reject
ip saddr 10.0.0.0/8 counter reject
ip saddr 172.16.0.0/12 counter reject
ip saddr 192.168.0.0/16 counter reject
# Reject connections that use invalid or spoofed IP addresses
ip option drop
# Limit the rate of incoming connections from a single IP address
ip limit rate 25/minute counter
# Reject incoming connections that use a reserved or private port number
tcp dport 0-1023 counter reject
# Accept incoming connections to the Minecraft server on port 25565
tcp dport 25565 accept
}
# Declare the base chain for outgoing connections from the Minecraft server
chain output {
type filter hook output priority 0;
# Accept outgoing connections to the local network
oifname "eth0" accept
# Reject connections that use reserved or private IP addresses
ip daddr 127.0.0.0/8 counter reject
ip daddr 10.0.0.0/8 counter reject
ip daddr 172.16.0.0/12 counter reject
ip daddr 192.168.0.0/16 counter reject
# Reject connections that use invalid or spoofed IP addresses
ip option drop
# Limit the rate of outgoing connections to a single IP address
ip limit rate 25/minute counter
# Reject outgoing connections that use a reserved or private port number
tcp sport 0-1023 counter reject
# Accept outgoing connections from the Minecraft server on port 25565
tcp sport 25565 accept
}
# Declare the chain for blocking malicious connections to the Minecraft server
chain block {
type filter hook input priority 100;
# Reject incoming connections that use a fake session
ct state invalid counter reject
# Reject incoming connections that use a query flood
ct state new limit rate 15/minute counter reject
# Reject incoming connections that use a bot attack
ct state new limit rate 5/second counter reject
}
代码来源:https://github.com/Alexitru/nftables-minecraft-ddos-mitigation/blob/main/nftables.conf