I have a small script that I can run for some DoS protection:
iptables -F FLOOD 2>/dev/null
iptables -F FLOODCHECK 2>/dev/null
iptables -X FLOOD 2>/dev/null
iptables -X FLOODCHECK 2>/dev/null
iptables -N FLOOD
iptables -A FLOOD -j LOG --log-level debug --log-prefix "Firewall: Flood "
iptables -A FLOOD -m recent --set --name flood -j DROP
iptables -N FLOODCHECK
iptables -A FLOODCHECK -m recent --update --seconds 600 --name flood --rttl -j DROP
iptables -A FLOODCHECK -m recent --rcheck --seconds 4 --hitcount 20 --name all --rttl -j FLOOD
iptables -A FLOODCHECK -m recent --set --name all -j ACCEPT
iptables -I INPUT -p tcp --dport 3306 -m state --state NEW -j FLOODCHECK
The script checks for IPs that hit the server on port 3306 20 times in 4 seconds, and logs and blocks them if they do. There are particular IP addresses that I want excempt to this rule, how can I make an IP (ie. 188.8.131.52 not be blocked even if it does this? I am sure this will involve "iptables -A FLOOD" in some way... but I did not create this little script and I'm not great with iptables commands.
Thanks very much for any assistance with this matter.
iptables -I INPUT -s ! 184.108.40.206 -p tcp --dport 3306 -m state --state NEW -j FLOODCHECK
Just add the IP with the negative '!' instruction.
By the way, if you log packets and get DDoS, I'm affraid you'll flood your logs
Thanks very much for that and for the advice! Exactly what I wanted.
Just one more concern with regard to this, what if I want to add another unrelated IP address to this? Sorry for the probably simple question but I'm not certain of the syntax required... so say I want to have this rule but I want 220.127.116.11 AND 18.104.22.168 to both be ignored by this rule.