Iptables Syn Flood
In this sample iptables_syn_flood_programs.cfg, we defend against syn flood attacks.
/////////////////////////////////////////////////////////////////////////////// // // iptables_syn_flood_programs.cfg // /////////////////////////////////////////////////////////////////////////////// // SYN_FLOOD -- check for syn flood =iptables -N SYN_FLOOD =iptables -A SYN_FLOOD -p tcp --syn =synopt -j RETURN =iptables -A SYN_FLOOD -p ! tcp -j RETURN =iptables -A SYN_FLOOD -p tcp ! --syn -j RETURN =iptables -A SYN_FLOOD -j LOG --log-prefix "IPT SYN_FLOOD: " =logopt =iptables -A SYN_FLOOD -j DROP ///////////////////////////////////////////////////////////////////////////////
If syn datagrams arrive at a rate exceeding the thresholds specified in the =synopt macro
synopt -m limit --limit 5/second --limit-burst 10
(defined in the file firewall_macros.cfg), we log and drop the datagrams.
This iptables_syn_flood_programs.cfg file is #included by the higher-level iptables_programs.cfg file. In that file, we might have code invoking the SYN_FLOOD chain as follows:
=iptables -A IN_NETWORK -p tcp --syn -j SYN_FLOOD
For more examples, see Samples.