{"id":5500,"date":"2022-08-24T11:01:47","date_gmt":"2022-08-24T02:01:47","guid":{"rendered":"\/blog\/?p=5500"},"modified":"2023-09-21T09:26:24","modified_gmt":"2023-09-21T00:26:24","slug":"iptables%eb%a5%bc-%ec%9d%b4%ec%9a%a9%ed%95%9c-ddos-%eb%b0%a9%ec%96%b4-%ea%b6%81%ea%b7%b9%ec%9d%98-%ea%b0%80%ec%9d%b4%eb%93%9c","status":"publish","type":"post","link":"https:\/\/hasu0707.duckdns.org\/blog\/?p=5500","title":{"rendered":"IPtables\ub97c \uc774\uc6a9\ud55c DDoS \ubc29\uc5b4: \uad81\uadf9\uc758 \uac00\uc774\ub4dc"},"content":{"rendered":"\n

DDoS Protection With IPtables: The Ultimate Guide \uae00\uc744 \ubc88\uc5ed\ud55c \ub0b4\uc6a9\uc785\ub2c8\ub2e4.
<\/span><\/p>\n

\uc6d0\ubcf8 \uae00: https:\/\/javapipe.com\/ddos\/blog\/iptables-ddos-protection\/<\/a>
<\/span><\/p>\n

\ubc88\uc5ed \uae00: \ub9c1\ud06c<\/a><\/span><\/p>\n

iptables\uc5d0 \ub300\ud55c \uc790\uccb4 DDoS \ubc29\uc9c0 \uaddc\uce59\uc744 \uc791\uc131\ud558\ub294 \uc5ec\ub7ec \uac00\uc9c0 \ubc29\ubc95\uc774 \uc788\uc2b5\ub2c8\ub2e4.
<\/span><\/p>\n

\uc6b0\ub9ac\ub294 \uc774 \ud3ec\uad04\uc801 \uc778 \ud29c\ud1a0\ub9ac\uc5bc\uc5d0\uc11c \uac00\uc7a5 \ud6a8\uacfc\uc801\uc778 iptables DDoS \ubcf4\ud638 \ubc29\ubc95\uc744 \ub17c\uc758 \ud560 \uac83\uc785\ub2c8\ub2e4.<\/span><\/p>\n


\uc774 \uac00\uc774\ub4dc\ub294 \ub2e4\uc74c\uc744 \uc218\ud589\ud558\ub294 \ubc29\ubc95\uc744 \uc54c\ub824\uc90d\ub2c8\ub2e4.<\/span><\/h3>\n

DDoS \uacf5\uaca9\uc744 \ub9c9\uae30 \uc704\ud55c iptables \ud14c\uc774\ube14\uacfc \uccb4\uc778\uc744 \uc120\ud0dd
DDoS \uacf5\uaca9\uc758 \uc601\ud5a5\uc744 \uc904\uc774\uae30 \uc704\ud55c \ucee4\ub110 \uc124\uc815 \uc870\uc815
iptables\ub97c \uc0ac\uc6a9\ud558\uc5ec \ub300\ubd80\ubd84\uc758 TCP \uae30\ubc18 DDoS \uacf5\uaca9 \ucc28\ub2e8
iptables SYNPROXY\ub97c \uc0ac\uc6a9\ud558\uc5ec SYN \ud50c\ub7ec\ub4dc\ub97c \ucc28\ub2e8\ud558\uae30<\/span><\/p>\n


\uc774 \uae00\uc740 \ub9ac\ub205\uc2a4 \uc11c\ubc84\ub97c \ub9e4\uc77c \ub2e4\ub8e8\ub294 \uc804\ubb38\uac00\ub97c \ub300\uc0c1\uc73c\ub85c \uc791\uc131\ub418\uc5c8\uc2b5\ub2c8\ub2e4.

\uc628\ub77c\uc778 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc744 DDoS \uacf5\uaca9\uc73c\ub85c\ubd80\ud130 \ubcf4\ud638\ud558\ub824\ub294 \uacbd\uc6b0 \uc6d0\uaca9 \ubcf4\ud638, DDoS \ubcf4\ud638 \uae30\ub2a5\uc774\uc788\ub294 VPS \ub610\ub294 DDoS\ub85c \ubcf4\ud638 \ub41c \ubca0\uc5b4 \uba54\ud0c8 (Bare Metal) \uc11c\ubc84\ub97c \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.
iptables\ub85c DDoS \uacf5\uaca9\uc744 \ucc28\ub2e8\ud560 \uc218\ub294 \uc788\uc9c0\ub9cc \ub300\uaddc\ubaa8 DDoS \ud50c\ub7ec\ub4dc\ub97c \ud0d0\uc9c0\ud558\uace0 \ucc28\ub2e8\ud558\uae30 \uc704\ud55c \uc2e4\uc81c \ud558\ub4dc\uc6e8\uc5b4 \ubc29\ud654\ubcbd (\ucd5c\uadfc\uc5d0 DDoS \uc644\ud654\ub97c \uc704\ud574 \ud558\ub4dc\uc6e8\uc5b4\ub97c \uac80\ud1a0 \ud55c \ubc29\ubc95)\uc744 \ub300\uccb4\ud560 \uc218\ub294 \uc5c6\uc2b5\ub2c8\ub2e4.
\uadf8\ub7ec\ub098 iptables\ub97c \uc0ac\uc6a9\ud558\uc5ec \ud68c\uc120 \uc18d\ub3c4\ub85c \ub300\ubd80\ubd84\uc758 \ubd88\ub7c9 \ud2b8\ub798\ud53d\uc744 \ud544\ud130\ub9c1\ud558\ub294 \uac83\uc740 \ubd88\uac00\ub2a5\ud558\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4!
\uc6b0\ub9ac\ub294 TCP \uae30\ubc18 \uacf5\uaca9\uc73c\ub85c\ubd80\ud130\ub9cc \ubcf4\ud638\ud560 \uac83\uc785\ub2c8\ub2e4. \ub300\ubd80\ubd84\uc758 UDP \uae30\ubc18 \uacf5\uaca9\uc740 \ubaa8\ub4e0 \uacf5\ud1b5 \uc11c\ubc84\uc758 \ub124\ud2b8\uc6cc\ud06c \uc778\ud130\ud398\uc774\uc2a4 \uce74\ub4dc\ub97c \uc18c\ubaa8\ud558\ub294 \uc99d\ud3ed\ub41c \ubc18\uc0ac \uacf5\uaca9\uc785\ub2c8\ub2e4.
\uc774\ub7ec\ud55c \uc720\ud615\uc758 \uacf5\uaca9\uc5d0 \ub300\ucc98\ud558\ub294 \uc720\uc77c\ud55c \uc644\ud654 \uc811\uadfc\ubc95\uc740 \uc5d0\uc9c0 \ub124\ud2b8\uc6cc\ud06c \ub610\ub294 \ucf54\uc5b4 \ub124\ud2b8\uc6cc\ud06c \ub610\ub294 \uce90\ub9ac\uc5b4\uc5d0\uc11c \ubbf8\ub9ac \ucc28\ub2e8\ud558\ub294 \uac83\uc785\ub2c8\ub2e4.<\/span><\/p>\n

\uc6b0\ub9ac\ub294 \ud604\uc7ac \uc77c\ub9ac\ub178\uc774 \uc8fc \uc2dc\uce74\uace0\uc640 \ub8e8\ub9c8\ub2c8\uc544\uc758 \ubd80\uce74\ub808\uc2a4\ud2b8\uc5d0\uc11c \uce21\uc815\ub418\uc9c0 \uc54a\uc740 \ub300\uc5ed\ud3ed\uacfc DDoS \ubcf4\ud638 \uae30\ub2a5\uc744 \uac16\ucd98 VPS\ub97c \uc81c\uacf5\ud558\uace0 \uc788\ub2e4\ub294 \uac83\uc744 \uc54c\uace0 \uacc4\uc168\uc2b5\ub2c8\uae4c?
\uadf8\ub4e4\uc774 \uc11c\ubc84\uc5d0 \uc5f0\uacb0\ud560 \uc218 \uc788\ub2e4\uba74 DDoS\ub85c \ubcf4\ud638\ub418\ub294 \ub124\ud2b8\uc6cc\ud06c\ub85c \uc774\ub3d9\ud558\ub294 \uac83\uc744 \uc81c\uc678\ud558\uace0\ub294 \ub2e4\uc911 Gbit \/ s \uacf5\uaca9\uc5d0 \ub300\ud574 \ud560 \uc218\uc788\ub294 \uc77c\uc774 \ub9ce\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4.<\/span><\/p>\n

IPtables \ub780?
netfilter iptables (\uace7 nftables\ub85c \ub300\uccb4)\ub294 netfilter\uc5d0\uc11c \uac1c\ubc1c \ud55c \ucee4\ub110 \ud328\ud0b7 \ud544\ud130\ub9c1 \uaddc\uce59\uc744 \uad6c\uc131\ud558\ub294 \uc0ac\uc6a9\uc790 \uacf5\uac04 \uba85\ub839\ud589 \uc720\ud2f8\ub9ac\ud2f0\uc785\ub2c8\ub2e4.
\ub9ac\ub205\uc2a4 \uc2dc\uc2a4\ud15c\uc758 \uae30\ubcf8 \ubc29\ud654\ubcbd \uad00\ub9ac \uc720\ud2f8\ub9ac\ud2f0\uc785\ub2c8\ub2e4. \ub9ac\ub205\uc2a4 \uc2dc\uc2a4\ud15c\uc744 \uc0ac\uc6a9\ud558\ub294 \ubaa8\ub4e0 \uc0ac\ub78c\ub4e4\uc740 \uc775\uc219\ud558\uac70\ub098 \uc801\uc5b4\ub3c4 \ub4e4\uc5b4 \ubd24\uc5b4\uc57c \ud569\ub2c8\ub2e4.
iptables\ub294 \ud2b9\uc815 \ud328\ud0b7\uc744 \ud544\ud130\ub9c1\ud558\uace0, \uc18c\uc2a4 \ub610\ub294 \ub300\uc0c1 \ud3ec\ud2b8 \ubc0f IP \uc8fc\uc18c\ub97c \ucc28\ub2e8\ud558\uace0, NAT\ub97c \ud1b5\ud574 \ud328\ud0b7\uc744 \uc804\ub2ec\ud558\uace0 \ub2e4\ub978 \ub9ce\uc740 \uac83\ub4e4\uc744 \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.
\uac00\uc7a5 \uc77c\ubc18\uc801\uc73c\ub85c \ub300\uc0c1 \ud3ec\ud2b8\uc640 \uc18c\uc2a4 IP \uc8fc\uc18c\ub97c \ucc28\ub2e8\ud558\ub294 \ub370 \uc0ac\uc6a9\ub429\ub2c8\ub2e4.<\/span><\/p>\n


\uc65c IPtables Anti-DDoS \uaddc\uce59\uc77c\uae4c?

<\/span>\ud604\uc7ac iptables\uac00 DDoS \uacf5\uaca9\uc744 \ub9c9\ub294 \uaddc\uce59\uc744 \uc774\ud574\ud558\ub294 \uc774\uc720\ub97c \uc54c\uc544\ubcf4\uae30 \uc704\ud574 iptables\uc758 \uc791\ub3d9 \ubc29\uc2dd\uc744 \uba3c\uc800 \uc774\ud574\ud574\uc57c \ud569\ub2c8\ub2e4.

<\/span>iptables\ub294 IP \ud328\ud0b7 \ud544\ud130 \uaddc\uce59 \ud14c\uc774\ube14\uc744 \uc124\uc815\ud558\uace0 \uc81c\uc5b4\ud558\ub294 \u200b\u200b\ub370 \uc0ac\uc6a9\ub418\ub294 \uba85\ub839\ud589 \ub3c4\uad6c\uc785\ub2c8\ub2e4. <\/span>\ubaa9\uc801\uc5d0 \ub530\ub77c \ub2e4\ub978 \ud14c\uc774\ube14\uc774 \uc788\uc2b5\ub2c8\ub2e4.
<\/span><\/span><\/p>\n

IPtables \ud14c\uc774\ube14

<\/span>Filter : Filter \ud14c\uc774\ube14\uc740 -t (-table) \uc635\uc158\uc744 \uc0ac\uc6a9\ud558\uc9c0 \uc54a\uc73c\uba74 \uaddc\uce59\uc774 \uc0ac\uc6a9\ud558\ub294 \uac00\uc7a5 \uc77c\ubc18\uc801\uc73c\ub85c \uc0ac\uc6a9\ub418\ub294 \uae30\ubcf8 \ud14c\uc774\ube14\uc785\ub2c8\ub2e4.

<\/span>Nat :\uc774 \ud14c\uc774\ube14\uc740 NAT(Network Address Translation:\ub124\ud2b8\uc6cd \uc8fc\uc18c \uc804\ub2ec)\uc5d0 \uc0ac\uc6a9\ub429\ub2c8\ub2e4. <\/span>\ud328\ud0b7\uc774 \uc0c8\ub85c\uc6b4 \uc5f0\uacb0\uc744 \uc0dd\uc131\ud558\uba74 nat \ud14c\uc774\ube14\uc5d0 \uaddc\uce59\uc774 \uc788\ub294\uc9c0 \uac80\uc0ac\ud569\ub2c8\ub2e4(\uc5ed\uc8fc: \uc27d\uac8c \uc124\uba85\ud558\uc790\uba74 \uc778\ud130\ub137 \uacf5\uc720\uae30 \uc5ed\ud560).

<\/span>Mangle : mangle \ud14c\uc774\ube14\uc740 \ud328\ud0b7\uacfc \ud5e4\ub354 \uc815\ubcf4\ub97c \uc218\uc815\ud558\uac70\ub098 \ud45c\uc2dc\ud558\ub294 \ub370 \uc0ac\uc6a9\ub429\ub2c8\ub2e4.

<\/span>Raw :\uc774 \ud14c\uc774\ube14\uc758 \ubaa9\uc801\uc740 \uc8fc\ub85c NOTRACK \ub300\uc0c1\uc744 \uc0ac\uc6a9\ud558\ub294 \uc5f0\uacb0 \ucd94\uc801\uc5d0\uc11c \ud2b9\uc815 \ud328\ud0b7\uc744 \uc81c\uc678\ud558\ub294 \uac83\uc785\ub2c8\ub2e4.

<\/span>\uc704\uc5d0\uc11c \ubcf4\ub4ef\uc774 \ud45c\uc900\uc774 \uc544\ub2cc \ucee4\ub110 \ubaa8\ub4c8\uc774 \ub85c\ub4dc\ub418\uc9c0 \uc54a\uc740 \uc77c\ubc18 Linux \uc2dc\uc2a4\ud15c\uc5d0\ub294 \ub124 \uac00\uc9c0 \ud14c\uc774\ube14\uc774 \uc788\uc2b5\ub2c8\ub2e4. <\/span>\uc774 \ud14c\uc774\ube14 \uac01\uac01\uc740 iptables \uccb4\uc778\uc758 \ub2e4\ub978 \uc138\ud2b8\ub97c \uc9c0\uc6d0\ud569\ub2c8\ub2e4.
<\/span><\/span><\/p>\n

 <\/p>\n

IPtables Chains<\/h3>\n

PREROUTING:<\/strong> raw, nat, mangle<\/p>\n

    \n
  • \ub124\ud2b8\uc6cc\ud06c \uc778\ud130\ud398\uc774\uc2a4 \uce74\ub4dc (NIC)\uc5d0 \ub4e4\uc5b4\uac00\ub294 \ud328\ud0b7\uc5d0 \uc801\uc6a9\ub429\ub2c8\ub2e4.<\/li>\n<\/ul>\n

    INPUT:<\/strong> filter, mangle<\/p>\n

      \n
    • \ub85c\uceec \uc18c\ucf13\uc744 \ub300\uc0c1\uc73c\ub85c\ud558\ub294 \ud328\ud0b7\uc5d0 \uc801\uc6a9\ub429\ub2c8\ub2e4.<\/li>\n<\/ul>\n

      FORWARD:<\/strong> filter, mangle<\/p>\n

        \n
      • \uc11c\ubc84\ub97c \ud1b5\ud574 \ub77c\uc6b0\ud305\ub418\ub294 \ud328\ud0b7\uc5d0 \uc801\uc6a9\ub429\ub2c8\ub2e4.<\/li>\n<\/ul>\n

        OUTPUT:<\/strong> raw, filter, nat, mangle<\/p>\n

          \n
        • \uc11c\ubc84\uac00 \uc804\uc1a1\ud558\ub294 \ud328\ud0b7 (\ub85c\uceec\uc5d0\uc11c \uc0dd\uc131 \ub41c \ud328\ud0b7)\uc5d0 \uc801\uc6a9\ub429\ub2c8\ub2e4.<\/li>\n<\/ul>\n

          POSTROUTING:<\/strong> nat, mangle<\/p>\n

            \n
          • \uc11c\ubc84\uc5d0\uc11c \ub098\uac00\ub294 \ud328\ud0b7\uc5d0 \uc801\uc6a9\ub429\ub2c8\ub2e4.<\/li>\n<\/ul>\n

            <\/span><\/p>\n

             <\/p>\n

            \ucc28\ub2e8\ud558\uac70\ub098 \uc218\uc815\ud560 \ud328\ud0b7\uc758 \uc885\ub958\uc5d0 \ub530\ub77c \ud2b9\uc815 iptables \ud14c\uc774\ube14\uacfc \uc120\ud0dd\ud55c \ud14c\uc774\ube14\uc774 \uc9c0\uc6d0\ud558\ub294 \uccb4\uc778\uc744 \uc120\ud0dd\ud569\ub2c8\ub2e4.

            <\/span>\ubb3c\ub860, \uc6b0\ub9ac\ub294 \uc5ec\uc804\ud788 iptables \ud0c0\uac9f (ACCEPT, DROP, REJECT \ub4f1)\uc5d0 \ub300\ud55c \uc124\uba85\uc744 \ud558\uc9c0 \uc54a\uace0 \uc788\uc9c0\ub9cc \uc774 \uae30\uc0ac\ub97c \uc77d\ub294\ub2e4\uba74 \uc774\ubbf8 iptables\ub97c \ub2e4\ub8e8\ub294 \ubc29\ubc95\uc744 \uc54c\uace0 \uc788\ub2e4\uace0 \uac00\uc815\ud558\uace0 \uc788\uc2b5\ub2c8\ub2e4.

            <\/span>\uc6b0\ub9ac\ub294 \uc65c iptables \uaddc\uce59\uc774 DDoS\ub97c \uba48\ucd94\uace0, iptables \uc0ac\uc6a9\ubc95\uc744 \uac00\ub974\uccd0\uc8fc\uc9c0 \uc54a\ub294\uc9c0 \uc124\uba85 \ud560 \uac83\uc785\ub2c8\ub2e4. <\/span>\ub2e4\uc2dc \uc0dd\uac01\ud574 \ubd05\uc2dc\ub2e4.

            <\/span>iptables\ub85c DDoS \uacf5\uaca9\uc744 \ucc28\ub2e8\ud558\ub824\uba74 iptables \uaddc\uce59\uc758 \uc131\ub2a5\uc774 \ub9e4\uc6b0 \uc911\uc694\ud569\ub2c8\ub2e4. <\/span>\ub300\ubd80\ubd84\uc758 TCP \uae30\ubc18 DDoS \uacf5\uaca9 \uc720\ud615\uc740 \ub192\uc740 \ud328\ud0b7 \uc804\uc1a1\ub960\uc744 \uc0ac\uc6a9\ud569\ub2c8\ub2e4. \uc989, \ucd08\ub2f9 \ud328\ud0b7 \uc218\ub294 \uc11c\ubc84\uac00 \ub2e4\uc6b4\ub418\ub294 \uc6d0\uc778\uc785\ub2c8\ub2e4.

            <\/span>\ub530\ub77c\uc11c \uac00\ub2a5\ud55c \ud55c \ucd08\ub2f9 \ub9ce\uc740 \ud328\ud0b7\uc744 \ucc98\ub9ac\ud558\uace0 \ucc28\ub2e8\ud560 \uc218 \uc788\ub294\uc9c0 \ud655\uc778\ud574\uc57c\ud569\ub2c8\ub2e4.

            <\/span>iptables\ub97c \uc0ac\uc6a9\ud558\uc5ec DDoS \uacf5\uaca9\uc744 \ucc28\ub2e8\ud558\ub294 \ubc29\ubc95\uc5d0 \ub300\ud55c \ub300\ubd80\ubd84\uc758 \uc9c0\uce68\uc740 \uc804\ubd80\ub294 \uc544\ub2c8\uc9c0\ub9cc \ub300\ubd80\ubd84\uc758 \uacbd\uc6b0 DDoS \ubc29\uc9c0 \uaddc\uce59\uc5d0 \ud544\ud130 \ud14c\uc774\ube14\uacfc INPUT \uccb4\uc778\uc744 \uc0ac\uc6a9\ud569\ub2c8\ub2e4.

            <\/span>\uc774 \uc811\uadfc \ubc29\uc2dd\uc758 \ubb38\uc81c\uc810\uc740 INPUT \uccb4\uc778\uc774 PREROUTING \ubc0f FORWARD \uccb4\uc778 \ud6c4\uc5d0\ub9cc \u200b\u200b\ucc98\ub9ac\ub418\ubbc0\ub85c \ud328\ud0b7\uc774 \uc774 \ub450 \uccb4\uc778 \uc911 \ud558\ub098\uc640 \uc77c\uce58\ud558\uc9c0 \uc54a\ub294 \uacbd\uc6b0\uc5d0\ub9cc \uc801\uc6a9\ub41c\ub2e4\ub294 \uac83\uc785\ub2c8\ub2e4.

            <\/span>\uc774\ub85c \uc778\ud574 \uc790\uc6d0\uc744 \uc18c\ube44\ud558\ub294 \ud328\ud0b7\uc758 \ud544\ud130\ub9c1\uc774 \uc9c0\uc5f0\ub429\ub2c8\ub2e4. <\/span>\uacb0\ub860\uc801\uc73c\ub85c \uc6b0\ub9ac\ub294 \uaddc\uce59\uc744 \ucd5c\ub300\ud55c \ud6a8\uacfc\uc801\uc73c\ub85c \ub9cc\ub4e4\uae30 \uc704\ud574\uc11c\ub294 \uc6b0\ub9ac\uc758 anti-DDoS \uaddc\uce59\uc744 \uac00\ub2a5\ud558\uba74 \uccb4\uc778\uae4c\uc9c0 \uba40\ub9ac \uc62e\uaca8\uc57c\ud569\ub2c8\ub2e4.

            <\/span>\ud328\ud0b7\uc5d0 \uc801\uc6a9 \ud560 \uc218\uc788\ub294 \uccab \ubc88\uc9f8 \uccb4\uc778\uc740 PREROUTING \uccb4\uc778\uc774\ubbc0\ub85c \uc774\uc0c1\uc801\uc73c\ub85c \uc774 \uccb4\uc778\uc758 \uc798\ubabb\ub41c \ud328\ud0b7\uc744 \ud544\ud130\ub9c1\ud574\uc57c\ud569\ub2c8\ub2e4.

            <\/span>\uadf8\ub7ec\ub098 \ud544\ud130 \ud14c\uc774\ube14\uc740 PREROUTING \uccb4\uc778\uc744 \uc9c0\uc6d0\ud558\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. <\/span>\uc774 \ubb38\uc81c\ub97c \ud574\uacb0\ud558\uae30 \uc704\ud574 \uc548\ud2f0 DDoS iptables \uaddc\uce59\uc5d0 \ud544\ud130 \ud14c\uc774\ube14 \ub300\uc2e0 mangle \ud14c\uc774\ube14\uc744 \uc0ac\uc6a9\ud558\uba74\ub429\ub2c8\ub2e4.

            <\/span>\ud544\ud130 \ud14c\uc774\ube14\uc774 \uc9c0\uc6d0\ud558\ub294 \ubaa8\ub4e0 \uaddc\uce59\uc740 \uc544\ub2c8\uc9c0\ub9cc \ub300\ubd80\ubd84\uc758 iptables \uccb4\uc778\uc744 \uc9c0\uc6d0\ud569\ub2c8\ub2e4.<\/span><\/span><\/p>\n

             <\/p>\n

            \uadf8\ub798\uc11c iptables DDoS \ubcf4\ud638 \uaddc\uce59\uc774 \uc65c \uc5c9\ub9dd\uc774\ub418\ub294\uc9c0 \uc54c\uace0 \uc2f6\uc2b5\ub2c8\uae4c? \ubd88\ub7c9 \ud328\ud0b7\uc744 \ucc28\ub2e8\ud558\uae30 \uc704\ud574 \ud544\ud130 \ud14c\uc774\ube14\uacfc INPUT \uccb4\uc778\uc744 \uc0ac\uc6a9\ud558\uae30 \ub54c\ubb38\uc785\ub2c8\ub2e4!

            iptables \uaddc\uce59\uc758 \uc131\ub2a5\uc744 \uadf9\uc801\uc73c\ub85c \ud5a5\uc0c1\uc2dc\ud0a4\uace0 \ub530\ub77c\uc11c \ud544\ud130\ub9c1 \ud560 \uc218\uc788\ub294 (TCP) DDoS \uacf5\uaca9 \ud2b8\ub798\ud53d\uc758 \uc591\uc744 \uadf9\uc801\uc73c\ub85c \uc99d\uac00\uc2dc\ud0a4\ub294 \ucd5c\uc0c1\uc758 \uc194\ub8e8\uc158\uc740 mangle \ud14c\uc774\ube14\uacfc PREROUTING \uccb4\uc778\uc744 \uc0ac\uc6a9\ud558\ub294 \uac83\uc785\ub2c8\ub2e4!<\/span><\/p>\n


            <\/span><\/p>\n

            DDoS\ub97c \uc644\ud654\ud558\ub294 \ucd5c\uace0\uc758 Linux \ucee4\ub110 \uc124\uc815<\/strong>

            \ub610 \ub2e4\ub978 \uc77c\ubc18\uc801\uc778 \uc2e4\uc218\ub294 \uc0ac\ub78c\ub4e4\uc774 DDoS \uacf5\uaca9\uc758 \ud6a8\uacfc\ub97c \ub354 \uc798 \uc644\ud654\ud558\uae30 \uc704\ud574 \ucd5c\uc801\ud654\ub41c \ucee4\ub110 \uc124\uc815\uc744 \uc0ac\uc6a9\ud558\uc9c0 \uc54a\ub294\ub2e4\ub294 \uac83\uc785\ub2c8\ub2e4.

            \uc774 \uac00\uc774\ub4dc\ub294 CentOS 7\uc744 \uc120\ud0dd\ud55c \uc6b4\uc601 \uccb4\uc81c\ub85c \uc911\uc810\uc801\uc73c\ub85c \uc124\uba85\ud569\ub2c8\ub2e4. CentOS 7\uc5d0\ub294 iptables\uc758 \ucd5c\uc2e0 \ubc84\uc804\uacfc \uc0c8\ub85c\uc6b4 SYNPROXY \ub300\uc0c1 \uc9c0\uc6d0 \uae30\ub2a5\uc774 \ud3ec\ud568\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4.

            iptables\ub85c DDoS\ub97c \ud6a8\uacfc\uc801\uc73c\ub85c \uc644\ud654\ud558\uae30 \uc704\ud574 \uc870\uc815\ud574\uc57c\ud558\ub294 \ubaa8\ub4e0 \ub2e8\uc77c \ucee4\ub110 \uc124\uc815\uc740 \ub2e4\ub8e8\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4.

            \ub300\uc2e0 CentOS 7 \ucee4\ub110 \uc124\uc815\uc744 \uc81c\uacf5\ud569\ub2c8\ub2e4. \uc544\ub798\uc758 \ub0b4\uc6a9\uc744 \/etc\/sysctl.conf \ud30c\uc77c\uc5d0 \ub123\uace0 sysctl -p\uc640 \ud568\uaed8 \uc124\uc815\uc744 \uc801\uc6a9\ud558\uc2ed\uc2dc\uc624.<\/span><\/p>\n


            <\/span><\/p>\n

            Anti-DDoS Kernel Settings (sysctl.conf)<\/h3>\n
            kernel<\/span>.<\/span>printk <\/span>=<\/span> 4<\/span> 4<\/span> 1<\/span> 7<\/span> \nkernel<\/span>.<\/span>panic <\/span>=<\/span> 10<\/span> \nkernel<\/span>.<\/span>sysrq <\/span>=<\/span> 0<\/span> \nkernel<\/span>.<\/span>shmmax <\/span>=<\/span> 4294967296<\/span> \nkernel<\/span>.<\/span>shmall <\/span>=<\/span> 4194304<\/span> \nkernel<\/span>.<\/span>core_uses_pid <\/span>=<\/span> 1<\/span> \nkernel<\/span>.<\/span>msgmnb <\/span>=<\/span> 65536<\/span> \nkernel<\/span>.<\/span>msgmax <\/span>=<\/span> 65536<\/span> \nvm<\/span>.<\/span>swappiness <\/span>=<\/span> 20<\/span> \nvm<\/span>.<\/span>dirty_ratio <\/span>=<\/span> 80<\/span> \nvm<\/span>.<\/span>dirty_background_ratio <\/span>=<\/span> 5<\/span> \nfs<\/span>.<\/span>file<\/span>-<\/span>max <\/span>=<\/span> 2097152<\/span> \nnet<\/span>.<\/span>core<\/span>.<\/span>netdev_max_backlog <\/span>=<\/span> 262144<\/span> \nnet<\/span>.<\/span>core<\/span>.<\/span>rmem_default <\/span>=<\/span> 31457280<\/span> \nnet<\/span>.<\/span>core<\/span>.<\/span>rmem_max <\/span>=<\/span> 67108864<\/span> \nnet<\/span>.<\/span>core<\/span>.<\/span>wmem_default <\/span>=<\/span> 31457280<\/span> \nnet<\/span>.<\/span>core<\/span>.<\/span>wmem_max <\/span>=<\/span> 67108864<\/span> \nnet<\/span>.<\/span>core<\/span>.<\/span>somaxconn <\/span>=<\/span> 65535<\/span> \nnet<\/span>.<\/span>core<\/span>.<\/span>optmem_max <\/span>=<\/span> 25165824<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>neigh<\/span>.<\/span>default<\/span>.<\/span>gc_thresh1 <\/span>=<\/span> 4096<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>neigh<\/span>.<\/span>default<\/span>.<\/span>gc_thresh2 <\/span>=<\/span> 8192<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>neigh<\/span>.<\/span>default<\/span>.<\/span>gc_thresh3 <\/span>=<\/span> 16384<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>neigh<\/span>.<\/span>default<\/span>.<\/span>gc_interval <\/span>=<\/span> 5<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>neigh<\/span>.<\/span>default<\/span>.<\/span>gc_stale_time <\/span>=<\/span> 120<\/span> \nnet<\/span>.<\/span>netfilter<\/span>.<\/span>nf_conntrack_max <\/span>=<\/span> 10000000<\/span> \nnet<\/span>.<\/span>netfilter<\/span>.<\/span>nf_conntrack_tcp_loose <\/span>=<\/span> 0<\/span> \nnet<\/span>.<\/span>netfilter<\/span>.<\/span>nf_conntrack_tcp_timeout_established <\/span>=<\/span> 1800<\/span> \nnet<\/span>.<\/span>netfilter<\/span>.<\/span>nf_conntrack_tcp_timeout_close <\/span>=<\/span> 10<\/span> \nnet<\/span>.<\/span>netfilter<\/span>.<\/span>nf_conntrack_tcp_timeout_close_wait <\/span>=<\/span> 10<\/span> \nnet<\/span>.<\/span>netfilter<\/span>.<\/span>nf_conntrack_tcp_timeout_fin_wait <\/span>=<\/span> 20<\/span> \nnet<\/span>.<\/span>netfilter<\/span>.<\/span>nf_conntrack_tcp_timeout_last_ack <\/span>=<\/span> 20<\/span> \nnet<\/span>.<\/span>netfilter<\/span>.<\/span>nf_conntrack_tcp_timeout_syn_recv <\/span>=<\/span> 20<\/span> \nnet<\/span>.<\/span>netfilter<\/span>.<\/span>nf_conntrack_tcp_timeout_syn_sent <\/span>=<\/span> 20<\/span> \nnet<\/span>.<\/span>netfilter<\/span>.<\/span>nf_conntrack_tcp_timeout_time_wait <\/span>=<\/span> 10<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_slow_start_after_idle <\/span>=<\/span> 0<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>ip_local_port_range <\/span>=<\/span> 1024<\/span> 65000<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>ip_no_pmtu_disc <\/span>=<\/span> 1<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>route<\/span>.<\/span>flush <\/span>=<\/span> 1<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>route<\/span>.<\/span>max_size <\/span>=<\/span> 8048576<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>icmp_echo_ignore_broadcasts <\/span>=<\/span> 1<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>icmp_ignore_bogus_error_responses <\/span>=<\/span> 1<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_congestion_control <\/span>=<\/span> htcp \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_mem <\/span>=<\/span> 65536<\/span> 131072<\/span> 262144<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>udp_mem <\/span>=<\/span> 65536<\/span> 131072<\/span> 262144<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_rmem <\/span>=<\/span> 4096<\/span> 87380<\/span> 33554432<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>udp_rmem_min <\/span>=<\/span> 16384<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_wmem <\/span>=<\/span> 4096<\/span> 87380<\/span> 33554432<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>udp_wmem_min <\/span>=<\/span> 16384<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_max_tw_buckets <\/span>=<\/span> 1440000<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_tw_recycle <\/span>=<\/span> 0<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_tw_reuse <\/span>=<\/span> 1<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_max_orphans <\/span>=<\/span> 400000<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_window_scaling <\/span>=<\/span> 1<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_rfc1337 <\/span>=<\/span> 1<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_syncookies <\/span>=<\/span> 1<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_synack_retries <\/span>=<\/span> 1<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_syn_retries <\/span>=<\/span> 2<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_max_syn_backlog <\/span>=<\/span> 16384<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_timestamps <\/span>=<\/span> 1<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_sack <\/span>=<\/span> 1<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_fack <\/span>=<\/span> 1<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_ecn <\/span>=<\/span> 2<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_fin_timeout <\/span>=<\/span> 10<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_keepalive_time <\/span>=<\/span> 600<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_keepalive_intvl <\/span>=<\/span> 60<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_keepalive_probes <\/span>=<\/span> 10<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>tcp_no_metrics_save <\/span>=<\/span> 1<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>ip_forward <\/span>=<\/span> 0<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>conf<\/span>.<\/span>all<\/span>.<\/span>accept_redirects <\/span>=<\/span> 0<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>conf<\/span>.<\/span>all<\/span>.<\/span>send_redirects <\/span>=<\/span> 0<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>conf<\/span>.<\/span>all<\/span>.<\/span>accept_source_route <\/span>=<\/span> 0<\/span> \nnet<\/span>.<\/span>ipv4<\/span>.<\/span>conf<\/span>.<\/span>all<\/span>.<\/span>rp_filter <\/span>=<\/span> 1<\/span><\/pre>\n
            \uc774 sysctl.conf \uc124\uc815\uc740 DDoS \ud558\uc5d0\uc11c \uc11c\ubc84\uc758 \uc131\ub2a5\uc744 \ucd5c\ub300\ud654\ud558\ub294 \uac83\uc740 \ubb3c\ub860\uc774 \uac00\uc774\ub4dc\uc5d0\uc11c \uc81c\uacf5 \ud560 iptables \uaddc\uce59\uc758 \ud6a8\uacfc\ub97c \ub3d5\uc2b5\ub2c8\ub2e4.<\/p>\n

            \uc2e4\uc81c IPtables Anti-DDoS \uaddc\uce59

            DDoS \uacf5\uaca9\uc758 \uc601\ud5a5\uc744 \uc644\ud654\ud558\uae30 \uc704\ud574 \ucd5c\uc801\ud654 \ub41c \ucee4\ub110 \uc124\uc815\ubfd0\ub9cc \uc544\ub2c8\ub77c mangle \ud14c\uc774\ube14\uacfc PREROUTING \uccb4\uc778\uc744 \uc0ac\uc6a9\ud574\uc57c\ud55c\ub2e4\ub294 \uc0ac\uc2e4\uc744 \uc54c\uc558\uc73c\ubbc0\ub85c \ub300\ubd80\ubd84\uc758 TCP DDoS \uacf5\uaca9\uc744 \uc644\ud654\ud558\uae30\uc704\ud55c \uba87 \uac00\uc9c0 \uc608\uc81c \uaddc\uce59\uc73c\ub85c \uc774\ub3d9\ud569\ub2c8\ub2e4.

            DDoS \uacf5\uaca9\uc740 \ubcf5\uc7a1\ud569\ub2c8\ub2e4.

            DDoS\uc5d0\ub294 \uc5ec\ub7ec \uac00\uc9c0 \uc720\ud615\uc774 \uc788\uc73c\uba70 \ubaa8\ub4e0 \uc11c\ube44\uc2a4\uc5d0 \ub300\ud574 \uc11c\uba85 \uae30\ubc18 \uaddc\uce59\uc744 \uc720\uc9c0\ud558\ub294 \uac83\uc740 \uac70\uc758 \ubd88\uac00\ub2a5\ud569\ub2c8\ub2e4.

            \ub2e4\ud589\ud788\ub3c4 \uc5f0\uacb0 \ucd94\uc801 (nf_conntrack \ucee4\ub110 \ubaa8\ub4c8)\uc774\ub77c\ub294 \uac83\uc774 \uc788\uc2b5\ub2c8\ub2e4. \uc774\ub294 \ud569\ubc95\uc801\uc778 \uac83\uc73c\ub85c \ubcf4\uc774\ub294 SYN \ud328\ud0b7\uc744 \uc0ac\uc6a9\ud558\uc9c0 \uc54a\ub294 \uac70\uc758 \ubaa8\ub4e0 TCP \uae30\ubc18 DDoS \uacf5\uaca9\uc744 \uc644\ud654\ud558\ub294 \ub370 \ub3c4\uc6c0\uc774 \ub420 \uc218 \uc788\uc2b5\ub2c8\ub2e4.

            \uc5ec\uae30\uc5d0\ub294 \uac00\uc9dc TCP \ud50c\ub798\uadf8\ub97c \uc0ac\uc6a9\ud558\ub294 \ubaa8\ub4e0 \uc720\ud615\uc758 ACK \ubc0f SYN-ACK DDoS \uacf5\uaca9\uacfc DDoS \uacf5\uaca9\uc774 \ud3ec\ud568\ub429\ub2c8\ub2e4.

            \uc6b0\ub9ac\ub294 \uc774\ubbf8 5 \uac1c\uc758 \uac04\ub2e8\ud55c iptables \uaddc\uce59\uc73c\ub85c \uc2dc\uc791\ud558\uc5ec \ub9ce\uc740 TCP \uae30\ubc18 DDoS \uacf5\uaca9\uc744 \ucc28\ub2e8\ud560 \uac83\uc785\ub2c8\ub2e4.<\/p>\n
             <\/p>\n
            \uc798\ubabb\ub41c \ud328\ud0b7 \ucc28\ub2e8<\/h3>\n
            iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>m conntrack <\/span>--<\/span>ctstate INVALID <\/span>-<\/span>j DROP<\/span><\/pre>\n
            \uc774 \uaddc\uce59\uc740 SYN \ud328\ud0b7\uc774 \uc544\ub2c8\uba70 \uc124\uc815\ub41c TCP \uc5f0\uacb0\uc5d0 \uc18d\ud558\uc9c0 \uc54a\ub294 \ubaa8\ub4e0 \ud328\ud0b7\uc744 \ucc28\ub2e8\ud569\ub2c8\ub2e4.<\/p>\n
             <\/p>\n
            SYN\uc774 \uc544\ub2cc \uc0c8 \ud328\ud0b7 \ucc28\ub2e8<\/h3>\n
            iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>!<\/span> --<\/span>syn <\/span>-<\/span>m conntrack <\/span>--<\/span>ctstate NEW <\/span>-<\/span>j DROP<\/span><\/pre>\n\uc774\ub807\uac8c\ud558\uba74 \uc0c8 \ud328\ud0b7 (\uc124\uc815\ub41c \uc5f0\uacb0\uc5d0 \uc18d\ud558\uc9c0 \uc54a\uc74c)\uc774 \ubaa8\ub450 \ucc28\ub2e8\ub418\uace0 SYN \ud50c\ub798\uadf8\ub294 \uc0ac\uc6a9\ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \uc774 \uaddc\uce59\uc740 \"\uc798\ubabb\ub41c \ud328\ud0b7 \ucc28\ub2e8\" \uaddc\uce59\uacfc \uc720\uc0ac\ud558\uc9c0\ub9cc \ub2e4\ub978 \ud328\ud0b7\uc774 \ud3ec\ucc29\ud558\uc9c0 \uc54a\ub294 \ud328\ud0b7\uc744 \ubc1c\uacac\ud569\ub2c8\ub2e4.

            \ud754\ud558\uc9c0 \uc54a\uc740 MSS \uac12 \ucc28\ub2e8<\/span>\n
            iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>-<\/span>m conntrack <\/span>--<\/span>ctstate NEW <\/span>-<\/span>m tcpmss <\/span>!<\/span> --<\/span>mss <\/span>536<\/span>:<\/span>65535<\/span> -<\/span>j DROP<\/span><\/pre>\n\uc704\uc758 iptables \uaddc\uce59\uc740 \uacf5\ud1b5\uc801\uc774\uc9c0 \uc54a\uc740 TCP MSS \uac12\uc744 \uc0ac\uc6a9\ud558\ub294 \uc0c8\ub85c\uc6b4 \ud328\ud0b7\uc744 \ucc28\ub2e8\ud569\ub2c8\ub2e4 (SYN \ud328\ud0b7 \ub9cc \uc774\uc804 \ub450 \uaddc\uce59\uc5d0 \ub530\ub77c \uc0c8 \ud328\ud0b7\uc774 \ub420 \uc218 \uc788\uc74c). \uc774\ub807\uac8c \ud558\uba74 \ubc99\uc5b4\ub9ac SYN \ud50c\ub7ec\ub4dc\ub97c \ucc28\ub2e8\ud558\ub294 \ub370 \ub3c4\uc6c0\uc774\ub429\ub2c8\ub2e4.

            <\/span>\n
            \uac00\uc9dc TCP \ud50c\ub798\uadf8\uac00\uc788\ub294 \ud328\ud0b7 \ucc28\ub2e8<\/h3>\n
            iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags FIN<\/span>,<\/span>SYN<\/span>,<\/span>RST<\/span>,<\/span>PSH<\/span>,<\/span>ACK<\/span>,<\/span>URG NONE <\/span>-<\/span>j DROP \niptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags FIN<\/span>,<\/span>SYN FIN<\/span>,<\/span>SYN <\/span>-<\/span>j DROP \niptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags SYN<\/span>,<\/span>RST SYN<\/span>,<\/span>RST <\/span>-<\/span>j DROP \niptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags FIN<\/span>,<\/span>RST FIN<\/span>,<\/span>RST <\/span>-<\/span>j DROP \niptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags FIN<\/span>,<\/span>ACK FIN <\/span>-<\/span>j DROP \niptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags ACK<\/span>,<\/span>URG URG <\/span>-<\/span>j DROP \niptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags ACK<\/span>,<\/span>FIN FIN <\/span>-<\/span>j DROP \niptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags ACK<\/span>,<\/span>PSH PSH <\/span>-<\/span>j DROP \niptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags ALL ALL <\/span>-<\/span>j DROP \niptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags ALL NONE <\/span>-<\/span>j DROP \niptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags ALL FIN<\/span>,<\/span>PSH<\/span>,<\/span>URG <\/span>-<\/span>j DROP \niptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags ALL SYN<\/span>,<\/span>FIN<\/span>,<\/span>PSH<\/span>,<\/span>URG <\/span>-<\/span>j DROP \niptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags ALL SYN<\/span>,<\/span>RST<\/span>,<\/span>ACK<\/span>,<\/span>FIN<\/span>,<\/span>URG <\/span>-<\/span>j DROP<\/span><\/pre>\n
            \uc704\uc758 \ub8f0\uc14b\uc740 \uac00\uc9dc TCP \ud50c\ub798\uadf8(<\/span>\ud569\ubc95\uc801\uc778 \ud328\ud0b7\uc774 \uc0ac\uc6a9\ud558\uc9c0 \uc54a\ub294 TCP \ud50c\ub798\uadf8)<\/span>\ub97c \uc0ac\uc6a9\ud558\ub294 \ud328\ud0b7\uc744 \ucc28\ub2e8\ud569\ub2c8\ub2e4.<\/span><\/p>\n
            \uac1c\uc778 \uc11c\ube0c\ub137\uc758 \ud328\ud0b7 \ucc28\ub2e8 (\uc2a4\ud478\ud551)<\/span><\/h3>\n
            iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>s <\/span>224.0<\/span>.<\/span>0.0<\/span>\/<\/span>3<\/span> -<\/span>j DROP \niptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>s <\/span>169.254<\/span>.<\/span>0.0<\/span>\/<\/span>16<\/span> -<\/span>j DROP \niptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>s <\/span>172.16<\/span>.<\/span>0.0<\/span>\/<\/span>12<\/span> -<\/span>j DROP \niptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>s <\/span>192.0<\/span>.<\/span>2.0<\/span>\/<\/span>24<\/span> -<\/span>j DROP \niptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>s <\/span>192.168<\/span>.<\/span>0.0<\/span>\/<\/span>16<\/span> -<\/span>j DROP \niptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>s <\/span>10.0<\/span>.<\/span>0.0<\/span>\/<\/span>8<\/span> -<\/span>j DROP \niptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>s <\/span>0.0<\/span>.<\/span>0.0<\/span>\/<\/span>8<\/span> -<\/span>j DROP \niptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>s <\/span>240.0<\/span>.<\/span>0.0<\/span>\/<\/span>5<\/span> -<\/span>j DROP \niptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>s <\/span>127.0<\/span>.<\/span>0.0<\/span>\/<\/span>8<\/span> !<\/span> -<\/span>i lo <\/span>-<\/span>j DROP<\/span><\/pre>\n\uc774\ub7ec\ud55c \uaddc\uce59\uc740 \uac1c\uc778 (\ub85c\uceec) \uc11c\ube0c\ub137\uc5d0\uc11c \uc0dd\uc131 \ub41c \uc2a4\ud478\ud551 \ub41c \ud328\ud0b7\uc744 \ucc28\ub2e8\ud569\ub2c8\ub2e4. <\/span>\uacf5\uc6a9 \ub124\ud2b8\uc6cc\ud06c \uc778\ud130\ud398\uc774\uc2a4\uc5d0\uc11c \uc77c\ubc18\uc801\uc73c\ub85c \uac1c\uc778 \uc6d0\ubcf8 IP\ub85c\ubd80\ud130 \ud328\ud0b7\uc744 \uc218\uc2e0\ud558\uc9c0 \uc54a\uc73c\ub824 \uace0\ud569\ub2c8\ub2e4.

            <\/span>\uc774 \uaddc\uce59\uc740 \ub8e8\ud504\ubc31 \uc778\ud130\ud398\uc774\uc2a4\uac00 127.0.0.0\/8 IP \uacf5\uac04\uc744 \uc0ac\uc6a9\ud55c\ub2e4\uace0 \uac00\uc815\ud569\ub2c8\ub2e4.

            <\/span>\uc774 \ub2e4\uc12f \uac00\uc9c0 \uaddc\uce59\ub9cc\uc73c\ub85c\ub3c4 \ub9e4\uc6b0 \ub192\uc740 \ud328\ud0b7 \uc18d\ub3c4\uc5d0\uc11c \ub9ce\uc740 TCP \uae30\ubc18 DDoS \uacf5\uaca9\uc744 \ucc28\ub2e8\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.

            <\/span>\uc704\uc5d0\uc11c \uc5b8\uae09 \ud55c \ucee4\ub110 \uc124\uc815\uacfc \uaddc\uce59\uc744 \uc0ac\uc6a9\ud558\uba74 \ud68c\uc120 \uc18d\ub3c4\ub85c ACK \ubc0f SYN-ACK \uacf5\uaca9\uc744 \ud544\ud130\ub9c1 \ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.

            <\/span><\/span>\n
            \ucd94\uac00 \uaddc\uce59<\/h2>\n
            iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p icmp <\/span>-<\/span>j DROP<\/span><\/pre>\n
            \uc774\ub807\uac8c\ud558\uba74 \ubaa8\ub4e0 ICMP \ud328\ud0b7\uc774 \uc0ad\uc81c\ub429\ub2c8\ub2e4. ICMP\ub294 \ud638\uc2a4\ud2b8\uac00 \uc544\uc9c1 \uc0b4\uc544 \uc788\ub294\uc9c0\ub97c \ud551 (ping)\ud558\ub294 \ub370\uc5d0\ub9cc \uc0ac\uc6a9\ub429\ub2c8\ub2e4. \uc77c\ubc18\uc801\uc73c\ub85c \ud544\uc694\ud558\uc9c0 \uc54a\uc73c\uba70 \uacf5\uaca9\uc790\uac00 \uc545\uc6a9 \ud560 \uc218\uc788\ub294 \ub610 \ub2e4\ub978 \ucde8\uc57d\uc810\ub9cc\uc744 \ub098\ud0c0 \ub0b4\uae30 \ub54c\ubb38\uc5d0 Ping of Death (ping flood), ICMP flood \ubc0f ICMP fragmentation flood\ub97c \uc644\ud654\ud558\uae30 \uc704\ud574 \ubaa8\ub4e0 ICMP \ud328\ud0b7\uc744 \ucc28\ub2e8\ud569\ub2c8\ub2e4.<\/p>\n
            iptables <\/span>-<\/span>A INPUT <\/span>-<\/span>p tcp <\/span>-<\/span>m connlimit <\/span>--<\/span>connlimit<\/span>-<\/span>above <\/span>80<\/span> -<\/span>j REJECT <\/span>--<\/span>reject<\/span>-<\/span>with<\/span> tcp<\/span>-<\/span>reset<\/span><\/pre>\n
            \uc774 iptables \uaddc\uce59\uc740 \uc5f0\uacb0 \uacf5\uaca9\uc5d0 \ub3c4\uc6c0\uc774\ub429\ub2c8\ub2e4. \uc5f0\uacb0\uc774 80 \uac1c \uc774\uc0c1\uc778 \ud638\uc2a4\ud2b8\uc758 \uc5f0\uacb0\uc744 \uac70\ubd80\ud569\ub2c8\ub2e4. \ubb38\uc81c\uac00 \ubc1c\uc0dd\ud560 \uacbd\uc6b0 \uc81c\ud55c\uc744 \ub298\ub824\uc57c\ud569\ub2c8\ub2e4. \uc774\ub294 \ub9ce\uc740 \uc218\uc758 TCP \uc5f0\uacb0\uc744 \uc124\uc815\ud558\ub294 \ud569\ubc95\uc801 \uc778 \ud074\ub77c\uc774\uc5b8\ud2b8\uc5d0\uac8c \ubb38\uc81c\ub97c \uc77c\uc73c\ud0ac \uc218 \uc788\uae30 \ub54c\ubb38\uc785\ub2c8\ub2e4.<\/p>\n
            iptables <\/span>-<\/span>A INPUT <\/span>-<\/span>p tcp <\/span>-<\/span>m conntrack <\/span>--<\/span>ctstate NEW <\/span>-<\/span>m limit <\/span>--<\/span>limit <\/span>60<\/span>\/<\/span>s <\/span>--<\/span>limit<\/span>-<\/span>burst <\/span>20<\/span> -<\/span>j ACCEPT \niptables <\/span>-<\/span>A INPUT <\/span>-<\/span>p tcp <\/span>-<\/span>m conntrack <\/span>--<\/span>ctstate NEW <\/span>-<\/span>j DROP<\/span><\/pre>\n
            \ud074\ub77c\uc774\uc5b8\ud2b8\uac00 \ucd08\ub2f9 \uc124\uc815\ud560 \uc218\uc788\ub294 \uc0c8\ub85c\uc6b4 TCP \uc5f0\uacb0\uc744 \uc81c\ud55c\ud569\ub2c8\ub2e4. \uc774\uac83\uc740 \uc5f0\uacb0 \uacf5\uaca9\uc5d0 \uc720\uc6a9 \ud560 \uc218 \uc788\uc9c0\ub9cc \uc77c\ubc18\uc801\uc73c\ub85c SYN \ud64d\uc218\uc5d0 \ub300\ud574\uc11c\ub294 \uadf8\ub2e4\uc9c0 \ub9ce\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \uc65c\ub0d0\ud558\uba74 \uc77c\ubc18\uc801\uc73c\ub85c \ub05d\uc5c6\uc774 \ub2e4\ub978 \uc2a4\ud478\ud551 \ub41c \uc18c\uc2a4 IP\ub97c \uc0ac\uc6a9\ud558\uae30 \ub54c\ubb38\uc785\ub2c8\ub2e4.<\/p>\n
            iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>f <\/span>-<\/span>j DROP<\/span><\/pre>\n
            \uc774 \uaddc\uce59\uc740 \ub2e8\ud3b8\ud654 \ub41c \ud328\ud0b7\uc744 \ucc28\ub2e8\ud569\ub2c8\ub2e4. \uc77c\ubc18\uc801\uc73c\ub85c UDP\ub294 \ud544\uc694\ud558\uc9c0 \uc54a\uc73c\uba70 UDP \ub2e8\ud3b8\ud654\ub97c \uc644\ud654\ud569\ub2c8\ub2e4. \ud558\uc9c0\ub9cc \ub300\ubd80\ubd84\uc758 \uc2dc\uac04 \ub3d9\uc548 UDP \uc870\uac01\ud654\ub294 \ub124\ud2b8\uc6cc\ud06c \uce74\ub4dc\uc758 \uc6a9\ub7c9\uc744 \uc18c\ubaa8 \ud560 \uc218\uc788\ub294 \ub9ce\uc740 \uc591\uc758 \ub300\uc5ed\ud3ed\uc744 \uc0ac\uc6a9\ud569\ub2c8\ub2e4.\uc774 \uaddc\uce59\uc740 \uc120\ud0dd \uc0ac\ud56d\uc774\uba70 \uc544\ub9c8\ub3c4 \uac00\uc7a5 \uc720\uc6a9\ud558\uc9c0\ub294 \uc54a\uc2b5\ub2c8\ub2e4.<\/p>\n
            iptables <\/span>-<\/span>A INPUT <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags RST RST <\/span>-<\/span>m limit <\/span>--<\/span>limit <\/span>2<\/span>\/<\/span>s <\/span>--<\/span>limit<\/span>-<\/span>burst <\/span>2<\/span> -<\/span>j ACCEPT \niptables <\/span>-<\/span>A INPUT <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags RST RST <\/span>-<\/span>j DROP<\/span><\/pre>\n
            \uc774\uac83\uc740 \ub4e4\uc5b4\uc624\ub294 TCP RST \ud328\ud0b7\uc744 \uc81c\ud55c\ud558\uc5ec TCP RST \ud50c\ub7ec\ub4dc\ub97c \uc644\ud654\ud569\ub2c8\ub2e4. \uc774 \uaddc\uce59\uc758 \ud6a8\uacfc\ub294 \uc758\ubb38\uc758 \ub300\uc0c1\uc785\ub2c8\ub2e4.<\/p>\n
             <\/p>\n
            SYNPROXY\ub85c SYN \ud64d\uc218\ub97c \uc644\ud654\ud558\uc2ed\uc2dc\uc624

            SYNPROXY\ub294 Linux \ucee4\ub110 \ubc84\uc804 3.12 \ubc0f iptables 1.4.21\uc5d0 \ucd94\uac00 \ub41c iptables\uc758 \uc0c8\ub85c\uc6b4 \ub300\uc0c1\uc785\ub2c8\ub2e4. CentOS 7\uc740\uc774 \uae30\ub2a5\uc744 \ubc31 \ud3ec\ud2b8\ud558\uace0 3.10 \uae30\ubcf8 \ucee4\ub110\uc5d0\uc11c \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.

            SYNPROXY\uc758 \ubaa9\uc801\uc740 SYN \ud328\ud0b7\uc744 \ubcf4\ub0b8 \ud638\uc2a4\ud2b8\uac00 \uc2e4\uc81c\ub85c \uc804\uccb4 TCP \uc5f0\uacb0\uc744 \uc124\uc815\ud558\ub294\uc9c0 \ub610\ub294 SYN \ud328\ud0b7\uc744 \ubcf4\ub0b8 \ud6c4\uc5d0 \uc544\ubb34 \uac83\ub3c4 \uc218\ud589\ud558\uc9c0 \uc54a\ub294\uc9c0 \ud655\uc778\ud558\ub294 \uac83\uc785\ub2c8\ub2e4.

            \uc544\ubb34\uac83\ub3c4 \uc218\ud589\ud558\uc9c0 \uc54a\uc73c\uba74 \uc131\ub2a5\uc5d0 \ubbf8\uce58\ub294 \uc601\ud5a5\uc744 \ucd5c\uc18c\ud654\ud558\uba74\uc11c \ud328\ud0b7\uc744 \ubc84\ub9bd\ub2c8\ub2e4.

            \uc704\uc5d0\uc11c \uc81c\uacf5 \ud55c iptables \uaddc\uce59\uc740 \ub300\ubd80\ubd84\uc758 TCP \uae30\ubc18 \uacf5\uaca9\uc744 \ucc28\ub2e8\ud558\uc9c0\ub9cc SYN \ud64d\uc218\ub9cc\ud07c \uc815\uad50 \ud574\uc9c0\uba74 \uc5ec\uc804\ud788 \uacf5\uaca9 \uc720\ud615\uc744 \ud1b5\uacfc \ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.

            \ud328\ud0b7 \uae38\uc774 (-m \uae38\uc774), TOS (-m tos), TTL (-m ttl) \ub610\ub294 \ubb38\uc790\uc5f4\uacfc \uac19\uc774 \ucc28\ub2e8\ud560 \ud2b9\uc815 \ud328\ud134\uc774\ub098 \uc11c\uba85\uc744 \ubc1c\uacac\ud558\uba74 \uaddc\uce59\uc758 \uc131\ub2a5\uc774 \ud56d\uc0c1 \ud5a5\uc0c1\ub41c\ub2e4\ub294 \uc810\uc5d0 \uc720\uc758\ud574\uc57c\ud569\ub2c8\ub2e4 \ubc0f 16 \uc9c4\uc218 \uac12 (\uace0\uae09 \uc0ac\uc6a9\uc790\uc758 \uacbd\uc6b0 -m \ubb38\uc790\uc5f4 \ubc0f -m u32)

            \uadf8\ub7ec\ub098 \ub4dc\ubb3c\uae30\ub294\ud558\uc9c0\ub9cc \uac00\ub2a5\ud558\uc9c0 \uc54a\uac70\ub098 \ub2ec\uc131\ud558\uae30\uac00 \uc27d\uc9c0 \uc54a\uc740 \uacbd\uc6b0\ub3c4 \uc788\uc2b5\ub2c8\ub2e4. \ub530\ub77c\uc11c \uc774\ub7ec\ud55c \uacbd\uc6b0 SYNPROXY\ub97c \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.

            \ub2e4\uc74c\uc740 \ub2e4\ub978 \uaddc\uce59\uc744 \uc6b0\ud68c\ud558\ub294 SYN \ud50c\ub7ec\ub4dc\ub97c \uc644\ud654\ud558\ub294 \ub370 \ub3c4\uc6c0\uc774\ub418\ub294 iptables SYNPROXY \uaddc\uce59\uc785\ub2c8\ub2e4.

            SYNPROXY IPtables \uaddc\uce59
            \uc544\ub798 \ub2e8\ucd94 \uc911 \ud558\ub098\ub97c \uc0ac\uc6a9\ud558\uc5ec SYNPROXY \uaddc\uce59\uc758 \uc7a0\uae08\uc744 \ud574\uc81c\ud558\uc2ed\uc2dc\uc624.
            \ucc98\ub7fc
            \uc9f9\uc9f9
            +1
            \uc624\ub958

            \uc774 \uaddc\uce59\uc740 \ubaa8\ub4e0 \ud3ec\ud2b8\uc5d0 \uc801\uc6a9\ub429\ub2c8\ub2e4. \ud65c\uc131\ud654 \ub41c \ud2b9\uc815 TCP \ud3ec\ud2b8\uc5d0\uc11c\ub9cc SYNPROXY\ub97c \uc0ac\uc6a9\ud558\ub824\uba74 (\uad8c\uc7a5 - \ub610\ud55c mangle \ud14c\uc774\ube14\uacfc PREROUTING \uccb4\uc778\uc744 \uc0ac\uc6a9\ud558\uc5ec \uc0ac\uc6a9\ud558\uc9c0 \uc54a\ub294 \ubaa8\ub4e0 TCP \ud3ec\ud2b8\ub97c \ucc28\ub2e8\ud574\uc57c \ud568) \uac01 \uaddc\uce59\uc5d0 -dport 80\uc744 \ucd94\uac00\ud558\uba74\ub429\ub2c8\ub2e4 \ud3ec\ud2b8 80\uc5d0\uc11c\ub9cc SYNPROXY\ub97c \uc0ac\uc6a9\ud558\ub824\ub294 \uacbd\uc6b0.

            SYNPROXY\uac00 \uc791\ub3d9\ud558\ub294\uc9c0 \ud655\uc778\ud558\ub824\uba74 -n1 cat \/ proc \/ net \/ stat \/ synproxy \uba85\ub839\uc744 \uc0ac\uc6a9\ud558\uc2ed\uc2dc\uc624. SYNPROXY\ub97c \uc0ac\uc6a9\ud558\ub294 \ud3ec\ud2b8\uc5d0 \ub300\ud574 \uc0c8 TCP \uc5f0\uacb0\uc744 \uc124\uc815\ud560 \ub54c \uac12\uc774 \ubcc0\uacbd\ub418\uba74 \uc791\ub3d9\ud569\ub2c8\ub2e4.<\/p>\n
             <\/p>\n
            The Complete IPtables Anti-DDoS Rules<\/h2>\n
            \uc774 \uae30\uc0ac\uc5d0\uc11c \uc124\uba85\ud55c \uac01 \ub2e8\uc77c \uaddc\uce59\uc744 \ubcf5\uc0ac\ud558\uc5ec \ubd99\uc5ec \ub123\uc9c0 \uc54a\uc73c\ub824\uba74 Linux \uc11c\ubc84\uc758 \uae30\ubcf8 DDoS \ubcf4\ud638\ub97c \uc704\ud574 \uc544\ub798\uc758 \uaddc\uce59 \uc9d1\ud569\uc744 \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n
            ### 1: Drop invalid packets ### <\/span>\n\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>m conntrack <\/span>--<\/span>ctstate INVALID <\/span>-<\/span>j DROP  \n\n<\/span>### 2: Drop TCP packets that are new and are not SYN ### <\/span>\n\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>!<\/span> --<\/span>syn <\/span>-<\/span>m conntrack <\/span>--<\/span>ctstate NEW <\/span>-<\/span>j DROP \n \n<\/span>### 3: Drop SYN packets with suspicious MSS value ### <\/span>\n\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>-<\/span>m conntrack <\/span>--<\/span>ctstate NEW <\/span>-<\/span>m tcpmss <\/span>!<\/span> --<\/span>mss <\/span>536<\/span>:<\/span>65535<\/span> -<\/span>j DROP  \n\n<\/span>### 4: Block packets with bogus TCP flags ### <\/span>\n\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags FIN<\/span>,<\/span>SYN<\/span>,<\/span>RST<\/span>,<\/span>PSH<\/span>,<\/span>ACK<\/span>,<\/span>URG NONE <\/span>-<\/span>j DROP \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags FIN<\/span>,<\/span>SYN FIN<\/span>,<\/span>SYN <\/span>-<\/span>j DROP \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags SYN<\/span>,<\/span>RST SYN<\/span>,<\/span>RST <\/span>-<\/span>j DROP \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags FIN<\/span>,<\/span>RST FIN<\/span>,<\/span>RST <\/span>-<\/span>j DROP \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags FIN<\/span>,<\/span>ACK FIN <\/span>-<\/span>j DROP \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags ACK<\/span>,<\/span>URG URG <\/span>-<\/span>j DROP \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags ACK<\/span>,<\/span>FIN FIN <\/span>-<\/span>j DROP \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags ACK<\/span>,<\/span>PSH PSH <\/span>-<\/span>j DROP \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags ALL ALL <\/span>-<\/span>j DROP \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags ALL NONE <\/span>-<\/span>j DROP \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags ALL FIN<\/span>,<\/span>PSH<\/span>,<\/span>URG <\/span>-<\/span>j DROP \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags ALL SYN<\/span>,<\/span>FIN<\/span>,<\/span>PSH<\/span>,<\/span>URG <\/span>-<\/span>j DROP \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags ALL SYN<\/span>,<\/span>RST<\/span>,<\/span>ACK<\/span>,<\/span>FIN<\/span>,<\/span>URG <\/span>-<\/span>j DROP  \n\n<\/span>### 5: Block spoofed packets ### <\/span>\n\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>s <\/span>224.0<\/span>.<\/span>0.0<\/span>\/<\/span>3<\/span> -<\/span>j DROP \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>s <\/span>169.254<\/span>.<\/span>0.0<\/span>\/<\/span>16<\/span> -<\/span>j DROP \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>s <\/span>172.16<\/span>.<\/span>0.0<\/span>\/<\/span>12<\/span> -<\/span>j DROP \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>s <\/span>192.0<\/span>.<\/span>2.0<\/span>\/<\/span>24<\/span> -<\/span>j DROP \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>s <\/span>192.168<\/span>.<\/span>0.0<\/span>\/<\/span>16<\/span> -<\/span>j DROP \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>s <\/span>10.0<\/span>.<\/span>0.0<\/span>\/<\/span>8<\/span> -<\/span>j DROP \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>s <\/span>0.0<\/span>.<\/span>0.0<\/span>\/<\/span>8<\/span> -<\/span>j DROP \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>s <\/span>240.0<\/span>.<\/span>0.0<\/span>\/<\/span>5<\/span> -<\/span>j DROP \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>s <\/span>127.0<\/span>.<\/span>0.0<\/span>\/<\/span>8<\/span> !<\/span> -<\/span>i lo <\/span>-<\/span>j DROP  \n\n<\/span>### 6: Drop ICMP (you usually don't need this protocol) ### <\/span>\n\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>p icmp <\/span>-<\/span>j DROP  \n\n<\/span>### 7: Drop fragments in all chains ### <\/span>\n\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>t mangle <\/span>-<\/span>A PREROUTING <\/span>-<\/span>f <\/span>-<\/span>j DROP  \n\n<\/span>### 8: Limit connections per source IP ### <\/span>\n\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>A INPUT <\/span>-<\/span>p tcp <\/span>-<\/span>m connlimit <\/span>--<\/span>connlimit<\/span>-<\/span>above <\/span>111<\/span> -<\/span>j REJECT <\/span>--<\/span>reject<\/span>-<\/span>with<\/span> tcp<\/span>-<\/span>reset  \n\n<\/span>### 9: Limit RST packets ### <\/span>\n\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>A INPUT <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags RST RST <\/span>-<\/span>m limit <\/span>--<\/span>limit <\/span>2<\/span>\/<\/span>s <\/span>--<\/span>limit<\/span>-<\/span>burst <\/span>2<\/span> -<\/span>j ACCEPT \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>A INPUT <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags RST RST <\/span>-<\/span>j DROP  \n\n<\/span>### 10: Limit new TCP connections per second per source IP ### <\/span>\n\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>A INPUT <\/span>-<\/span>p tcp <\/span>-<\/span>m conntrack <\/span>--<\/span>ctstate NEW <\/span>-<\/span>m limit <\/span>--<\/span>limit <\/span>60<\/span>\/<\/span>s <\/span>--<\/span>limit<\/span>-<\/span>burst <\/span>20<\/span> -<\/span>j ACCEPT \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>A INPUT <\/span>-<\/span>p tcp <\/span>-<\/span>m conntrack <\/span>--<\/span>ctstate NEW <\/span>-<\/span>j DROP  \n\n<\/span>### 11: Use SYNPROXY on all ports (disables connection limiting rule) ### <\/span>\n# Hidden - unlock content above in \"Mitigating SYN Floods With SYNPROXY\" section<\/span><\/pre>\n
            Bonus Rules<\/h2>\n
            \ub2e4\uc74c\uc740 Linux \uc11c\ubc84\uc758 \uc804\ubc18\uc801\uc778 \ubcf4\uc548\uc744 \ud5a5\uc0c1\uc2dc\ud0a4\ub294 \ub370 \uc720\uc6a9\ud55c iptables \uaddc\uce59\uc785\ub2c8\ub2e4.<\/p>\n
            ### SSH brute-force protection ### <\/span>\n\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>A INPUT <\/span>-<\/span>p tcp <\/span>--<\/span>dport ssh <\/span>-<\/span>m conntrack <\/span>--<\/span>ctstate NEW <\/span>-<\/span>m recent <\/span>--<\/span>set<\/span> \n\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>A INPUT <\/span>-<\/span>p tcp <\/span>--<\/span>dport ssh <\/span>-<\/span>m conntrack <\/span>--<\/span>ctstate NEW <\/span>-<\/span>m recent <\/span>--<\/span>update <\/span>--<\/span>seconds <\/span>60<\/span> --<\/span>hitcount <\/span>10<\/span> -<\/span>j DROP  \n\n<\/span>### Protection against port scanning ### <\/span>\n\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>N port<\/span>-<\/span>scanning \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>A port<\/span>-<\/span>scanning <\/span>-<\/span>p tcp <\/span>--<\/span>tcp<\/span>-<\/span>flags SYN<\/span>,<\/span>ACK<\/span>,<\/span>FIN<\/span>,<\/span>RST RST <\/span>-<\/span>m limit <\/span>--<\/span>limit <\/span>1<\/span>\/<\/span>s <\/span>--<\/span>limit<\/span>-<\/span>burst <\/span>2<\/span> -<\/span>j RETURN \n<\/span>\/<\/span>sbin<\/span>\/<\/span>iptables <\/span>-<\/span>A port<\/span>-<\/span>scanning <\/span>-<\/span>j DROP<\/span><\/pre>\n
            \uacb0\ub860<\/h2>\n
            \uc774 \ud29c\ud1a0\ub9ac\uc5bc\uc740 iptables\ub97c \uc0ac\uc6a9\ud558\uc5ec DDoS \uacf5\uaca9\uc744 \ub9c9\ub294 \uac00\uc7a5 \uac15\ub825\ud558\uace0 \ud6a8\uacfc\uc801\uc778 \ubc29\ubc95\uc744 \ubcf4\uc5ec\uc90d\ub2c8\ub2e4.<\/p>\n
            \uc6b0\ub9ac\ub294 iptables \uaddc\uce59\uc744 \uc0ac\uc6a9\ud558\uc5ec \ucd08\ub2f9 \uc218\ubc31\ub9cc \ud328\ud0b7<\/strong>\uc73c\ub85c \uc815\uc810\uc5d0 \ub3c4\ub2ec \ud55c DDoS \uacf5\uaca9\uc744 \uc131\uacf5\uc801\uc73c\ub85c \uc644\ud654\ud588\uc2b5\ub2c8\ub2e4.<\/p>\n
            \uc6b0\ub9ac\uac00 \uc870\uc0ac\ud55c \ub3d9\uc77c\ud55c \uc8fc\uc81c\uc5d0 \ub300\ud55c \ubaa8\ub4e0 \uac00\uc774\ub4dc\ub294 DDoS \ud2b8\ub798\ud53d\uc744 \ub9c9\uc744 \uc218\uc788\ub294 \ube44\ud6a8\uc728\uc801 \uc778 \ubc29\ubc95\uc774\ub098 iptables \uaddc\uce59\uc758 \uc81c\ud55c\ub41c \uc218\ub97c \uc81c\uacf5\ud588\uc2b5\ub2c8\ub2e4.

            \uc815\ud655\ud558\uac8c \uc0ac\uc6a9\ub41c\ub2e4\uba74, iptables\ub294 1GigE NIC\uc758 \ud68c\uc120 \uc18d\ub3c4\uc640 10GigE NIC\uc758 \ud68c\uc120 \uc18d\ub3c4\uc5d0 \uac00\uae4c\uc6b4 DDoS \uacf5\uaca9\uc744 \ucc28\ub2e8\ud560 \uc218\uc788\ub294 \ub9e4\uc6b0 \uac15\ub825\ud55c \ub3c4\uad6c\uc785\ub2c8\ub2e4.<\/p>\n
            iptables\uc758 \ud798\uc744 \uacfc\uc18c \ud3c9\uac00\ud558\uc9c0 \ub9c8\uc2ed\uc2dc\uc624!<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"
            DDoS Protection With IPtables: The Ultimate Guide \uae00\uc744 \ubc88\uc5ed\ud55c \ub0b4\uc6a9\uc785\ub2c8\ub2e4. \uc6d0\ubcf8 \uae00: https:\/\/javapipe.com\/ddos\/blog\/iptables-ddos-protection\/ \ubc88\uc5ed \uae00: \ub9c1\ud06c iptables\uc5d0 \ub300\ud55c \uc790\uccb4 DDoS \ubc29\uc9c0 \uaddc\uce59\uc744 \uc791\uc131\ud558\ub294 \uc5ec\ub7ec \uac00\uc9c0 \ubc29\ubc95\uc774 \uc788\uc2b5\ub2c8\ub2e4. \uc6b0\ub9ac\ub294 \uc774 \ud3ec\uad04\uc801 \uc778 \ud29c\ud1a0\ub9ac\uc5bc\uc5d0\uc11c \uac00\uc7a5 \ud6a8\uacfc\uc801\uc778 iptables DDoS \ubcf4\ud638 \ubc29\ubc95\uc744 \ub17c\uc758 \ud560 \uac83\uc785\ub2c8\ub2e4. \uc774 \uac00\uc774\ub4dc\ub294 \ub2e4\uc74c\uc744 \uc218\ud589\ud558\ub294 \ubc29\ubc95\uc744 \uc54c\ub824\uc90d\ub2c8\ub2e4. DDoS \uacf5\uaca9\uc744 \ub9c9\uae30 \uc704\ud55c iptables \ud14c\uc774\ube14\uacfc \uccb4\uc778\uc744 \uc120\ud0ddDDoS \uacf5\uaca9\uc758 […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_import_markdown_pro_load_document_selector":0,"_import_markdown_pro_submit_text_textarea":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[39,12],"tags":[],"class_list":["post-5500","post","type-post","status-publish","format-standard","hentry","category-os_linux_unix_macos","category-computing_security"],"_links":{"self":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5500","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5500"}],"version-history":[{"count":0,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5500\/revisions"}],"wp:attachment":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5500"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5500"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5500"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}