1. Restriction and80 Port connectedIP The maximum number of connections is10, Customizable.

  The code is as follows Copy code

iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 10 -j DROP


2. Userecent The module limit is the same asIP Number of new requests in time,recent For more functions, please refer to:Iptables Modularrecent application.

  The code is as follows Copy code

iptables -A INPUT -p tcp --dport 80 --syn -m recent --name webpool --rcheck --seconds 60 --hitcount 10 -j LOG --log-prefix 'DDOS:' --log-ip-options 
#60 second10 New connection, Log exceeded. 
iptables -A INPUT -p tcp --dport 80 --syn -m recent --name webpool --rcheck --seconds 60 --hitcount 10 -j DROP 
#60 second10 New connection, More than dropped packets. 
iptables -A INPUT -p tcp --dport 80 --syn -m recent --name webpool --set -j ACCEPT 
# Allowed to pass within the scope.


The above is relatively simple, Let me analyze more specific configuration methods.CentOS/Redhat/Fedora

Execute on server

  The code is as follows Copy code
vi /etc/sysconfig/iptables
Delete the original content and input the following content Preservation
# Generated by iptables-save v1.3.5 on Sun Dec 12 23:55:59 2010
*filter
:INPUT DROP [385263:27864079]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4367656:3514692346]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 80 -m state –state NEW -m recent –set –name WEB –rsource
-A INPUT -p tcp -m tcp –dport 80 -m state –state NEW -m recent –update –seconds 5 –hitcount 20 –rttl –name WEB –rsource -j DROP
-A INPUT -p tcp -m multiport –ports 21,22,80 -j ACCEPT
-A INPUT -p tcp -m tcp –tcp-flags SYN,RST,ACK SYN -m ttl –ttl-eq 117 -j DROP
-A INPUT -p tcp -m tcp –tcp-flags SYN,RST,ACK SYN -m length –length 0:40 -j DROP
-A INPUT -p tcp -m tcp ! –tcp-flags SYN,RST,ACK SYN -m state –state NEW -j DROP
COMMIT
# Completed on Sun Dec 12 23:55:59 2010

Note this setting is only open to the public21(FTP),22(SSH),80(http website) ThreeTCP port. Set up80 port5 Seconds20 A connection

restartiptables service /etc/init.d/iptables restart
Set upiptables Random startchkconfig iptables on