Netfilter

De Open Neurosecurity Research Portal
Aller à la navigation Aller à la recherche

The nft_synproxy module can be used to protect a server from TCP syn flood.

Notes

The mss and scale values to use can be found using tcpdump(8) and adapted based on incoming traffic.

Tutorials

nftables.conf

table inet global {

	set denylist {
		type ipv4_addr
		counter
		flags dynamic
		timeout 1d
	}

	chain inbound {
	type filter hook input priority 0; policy accept; 

	ct state established,related accept
 	ct state invalid,untracked synproxy mss 1460 wscale 9 timestamp sack-perm
 
  
    }
    chain prerouting {
    	type filter hook prerouting priority mangle; policy accept;
        tcp flags syn notrack
    }
}

Maintainer

Etienne Robillard <smart@open-neurosecurity.org>

Récupérée de "https://www.open-neurosecurity.org/wiki/index.php?title=Netfilter&oldid=3934"