linux command to prevent dos attack by using netstat and iptables

networking security iptables command-line-interface

5,630

Solution 1

You can also use iptables to limit the rate of incoming connections. For example if you don't want more than 200 connections per minute from a source:

iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 200 -j DROP

Solution 2

You can create an ipset. This way you can add as many IPs to the set as you need without modifying the iptables ruleset.

ipset -N myset iphash
ipset -A myset 1.1.1.1
ipset -A myset 2.2.2.2

Or, in your case, use the output of your script, and read it with something like:

while read a; do ipset -A myset "$a"; done < <(your script here)

And the reference it in your iptables rules:

iptables -A INPUT -m set --set myset src -j DROP

Read the manpage for more details and options.

There are also other ways to mitigate a DDOS attack using iptables directly. Read the iptables manpage section about the connlimit and recent modules.

5,630

Morteza Soltanabadiyan

Updated on September 18, 2022

Comments

Morteza Soltanabadiyan over 1 year
I want to DROP more than 200 requests per ip to prevent ddos attack. this is command that i used to detect requests count per ip :
```
netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort | uniq -c | sort -nr
```
now i want add all ip addresses that made more than 200 requests into IPtables to DROP input and out put.
- kaptan about 10 years
  
  As @dawud mentioned make sure you are aware that you can only "mitigate" and not really totally prevent DDOS attack to your server.
hpcodeit about 10 years

This is brilliant because ipsets are much faster than alternatives such as hashtables.
ffledgling over 9 years

It would be great to have an explanation of this as well.