admin avatar

nftables实现简单的DDOS攻击防护的规则

🕤 by admin

nftables实现简单的DDOS攻击防护的规则

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

# Declare the base chain for incoming connections to the Minecraft server
chain input {
  type filter hook input priority 0;

  # Accept incoming connections from the local network
  iifname "eth0" accept

  # Reject connections that use reserved or private IP addresses
  ip saddr 127.0.0.0/8 counter reject
  ip saddr 10.0.0.0/8 counter reject
  ip saddr 172.16.0.0/12 counter reject
  ip saddr 192.168.0.0/16 counter reject

  # Reject connections that use invalid or spoofed IP addresses
  ip option drop

  # Limit the rate of incoming connections from a single IP address
  ip limit rate 25/minute counter

  # Reject incoming connections that use a reserved or private port number
  tcp dport 0-1023 counter reject

  # Accept incoming connections to the Minecraft server on port 25565
  tcp dport 25565 accept
}

# Declare the base chain for outgoing connections from the Minecraft server
chain output {
  type filter hook output priority 0;

  # Accept outgoing connections to the local network
  oifname "eth0" accept

  # Reject connections that use reserved or private IP addresses
  ip daddr 127.0.0.0/8 counter reject
  ip daddr 10.0.0.0/8 counter reject
  ip daddr 172.16.0.0/12 counter reject
  ip daddr 192.168.0.0/16 counter reject

  # Reject connections that use invalid or spoofed IP addresses
  ip option drop

  # Limit the rate of outgoing connections to a single IP address
  ip limit rate 25/minute counter

  # Reject outgoing connections that use a reserved or private port number
  tcp sport 0-1023 counter reject

  # Accept outgoing connections from the Minecraft server on port 25565
  tcp sport 25565 accept
}

# Declare the chain for blocking malicious connections to the Minecraft server
chain block {
  type filter hook input priority 100;

  # Reject incoming connections that use a fake session
  ct state invalid counter reject

  # Reject incoming connections that use a query flood
  ct state new limit rate 15/minute counter reject

  # Reject incoming connections that use a bot attack
  ct state new limit rate 5/second counter reject
}

代码来源:https://github.com/Alexitru/nftables-minecraft-ddos-mitigation/blob/main/nftables.conf

💘 相关文章

写一条评论