How to configure iptables to prevent syn ddos ping attacks 09/23 Update SLTechnology News&Howtos

How to configure iptables to prevent syn ddos ping attacks

2025-09-23 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >

Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to configure iptables to prevent syn ddos ping attack". The explanation content in this article is simple and clear, easy to learn and understand. Please follow the ideas of Xiaobian slowly and deeply to study and learn "how to configure iptables to prevent syn ddos ping attack" together!

netfilter/iptables (iptables for short) constitutes a packet filtering firewall for Linux platforms. Like most Linux software, this packet filtering firewall is free and can replace expensive commercial firewall solutions to complete packet filtering, packet redirection and network address translation (NAT).

Configure firewalls to prevent syn, ddos attacks

[root@m176com ~]# vim /etc/sysconfig/iptables Add the following lines to iptables #anti syn, ddos-A FORWARD -p tcp --syn -m limit --limit 1/s --limit-burst 5 -j ACCEPT-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN, RST -m limit --limit 1/s -j ACCEPT-A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

Note: First line: Maximum of 5 new connections allowed per second. Second line: Prevent various port scans. Line 3: Ping of Death, adjustable or disabled as needed

Restart firewall

[root@m176com ~]# /etc/init.d/iptables restart

Block an IP

# iptables -I INPUT -s 192.168.0.1 -j DROP

How do I prevent others from ping me?

# iptables -A INPUT -p icmp -j DROP

Sync Flood Prevention

# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

Prevent various port scans

# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

Ping flood attack (Ping of Death)

# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPTNMAP FIN/URG/PSH# iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROPXmas Tree# iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROPAnother Xmas Tree# iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROPNull Scan(possibly)iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROPSYN/RST# iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROPSYN/FIN -- Scan(possibly)# iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

Limit the speed at which internal packets are sent

#iptables -A INPUT -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT

Limit the number of connections made

#iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT Thank you for reading, the above is "how to configure iptables to prevent syn ddos ping attack" content, after the study of this article, I believe everyone on how to configure iptables to prevent syn ddos ping attack this problem has a deeper experience, the specific use of the situation still needs to be verified by practice. Here is, Xiaobian will push more articles related to knowledge points for everyone, welcome to pay attention!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.