DoS Mitigation with iptables on Linux

iptables is the standard firewall management utility on most Linux distributions. It allows you to rate-limit connections and detect and block repeated, suspicious access attempts to specific ports.

Warning: Incorrectly configured iptables rules can lead to you losing access to your own server (Lockout). Test all rules carefully, especially those affecting SSH (Port 22).

Core Principle: Limiting and Blocking

To prevent Denial-of-Service (DoS) attacks at the application level, we use the limit and recent modules within iptables.

1. Protecting the SSH Port (22)

The SSH port is a frequent target for brute-force attacks. We limit the number of new connections per unit of time.

PowerShell (SSH Limiter)

# Allows a maximum of 3 new connections per minute (3/m) # After reaching the limit, further connections are dropped for 1 minute iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m limit --limit 3/m --limit-burst 5 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j DROP

--limit 3/m: Sets the average rate to 3 connections per minute.
--limit-burst 5: Allows a short initial "burst" of 5 connections before the rate limit is enforced.

2. Protecting the Web Server Ports (80/443)

This mechanism is ideal for preventing slow HTTP attacks (Slowloris) or fast, repetitive requests. The rule applies a limit to established connections to prevent overload.

PowerShell (Web Server Limiter)

# HTTP (Port 80) # Allows a maximum of 20 connections per second (20/s) per source IP. iptables -A INPUT -p tcp --dport 80 -m state --state ESTABLISHED -m limit --limit 20/s --limit-burst 100 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j DROP # HTTPS (Port 443) # Allows a maximum of 20 connections per second (20/s) per source IP. iptables -A INPUT -p tcp --dport 443 -m state --state ESTABLISHED -m limit --limit 20/s --limit-burst 100 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j DROP

--state ESTABLISHED: Restricts the limiting to already existing, active connections.
Important: You must adjust the values (20/s, 100) to match the normal, expected traffic of your application.

3. Persistent Blocking with the `recent` Module

The recent module is more powerful as it temporarily blocks source IPs that attempt to connect too often.

PowerShell (Temporary IP Blocking)

# 1. Add to a list ("BAD_GUYS") if the IP sends 15 new packets within 60 seconds. # Applied here to Port 80. iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set # 2. If an IP is already on the "BAD_GUYS" list and has sent more than 15 new packets in the last 60 seconds, it is dropped. iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 15 -j DROP # 3. The remaining, legitimate traffic is accepted. iptables -A INPUT -p tcp --dport 80 -j ACCEPT

--set: Adds the source IP to the recent list.
--update: Updates the timestamp for the IP and checks against hitcount and seconds.
Result: An IP that sends packets too aggressively (e.g., a bot or a simple DoS attack) is blocked for 60 seconds once it exceeds 15 packets.

4. Saving Rules Permanently

After successfully testing the rules, they must be saved, otherwise they will be lost after a server reboot.

For Debian/Ubuntu (`iptables-persistent`)

apt install and save

# Installation of the tool apt install iptables-persistent # Saving the current rules netfilter-persistent save

For CentOS/RHEL (`iptables-services`)

Start and save service

# Saving the current rules iptables-save > /etc/sysconfig/iptables # Restarting the service systemctl restart iptables

ON THIS PAGE

Frequently Asked Questions

Getting Started

Server Management & Access

Operating Systems & Control Panels

Hardware & Advanced Topics

Networking, Domains & DNS

Rescue Mode

Backup

Security

Game Servers

Application Management

Application Guides