Iptables Syn Flood

In this sample iptables_syn_flood_programs.cfg, we defend against syn flood attacks.  

///////////////////////////////////////////////////////////////////////////////
//
// iptables_syn_flood_programs.cfg
//
///////////////////////////////////////////////////////////////////////////////

        // SYN_FLOOD -- check for syn flood

        =iptables -N SYN_FLOOD
        =iptables -A SYN_FLOOD -p   tcp   --syn =synopt -j RETURN
        =iptables -A SYN_FLOOD -p ! tcp                 -j RETURN
        =iptables -A SYN_FLOOD -p   tcp ! --syn         -j RETURN
        =iptables -A SYN_FLOOD -j LOG --log-prefix "IPT SYN_FLOOD: " =logopt
        =iptables -A SYN_FLOOD -j DROP

///////////////////////////////////////////////////////////////////////////////

If syn datagrams arrive at a rate exceeding the thresholds specified in the =synopt macro 

synopt          -m limit --limit 5/second --limit-burst 10

(defined in the file firewall_macros.cfg), we log and drop the datagrams.

This iptables_syn_flood_programs.cfg file is #included by the higher-level iptables_programs.cfg file.  In that file, we might have code invoking the SYN_FLOOD chain as follows: 

        =iptables -A IN_NETWORK -p tcp --syn -j SYN_FLOOD

Open Hand For more examples, see Samples.

 
Home | FAQ | News | Intro | Samples | Tutorial | Reference | Software
Developer's Notes | Licensing | Authors | Pikt-Users | Pikt-Workers | Related Projects | Site Index | Privacy Policy | Contact Us
Page best viewed at 1024x768 or greater.   Page last updated 2010-04-15.   This site is PIKT® powered.
PIKT® is a registered trademark of the University of Chicago.   Copyright © 1998-2010 Robert Osterlund. All rights reserved.
Home FAQ News Intro Samples Tutorial Reference Software
PIKT Logo
PIKT Page Title
View sample
reset iptables
script config file