IPTables not blocking IPStresser

Question

I have been trying four days to block DDoS attacks with no success. I want to block anything that isn't whitelisted.

This is my idea on OS Centos 7:

//Delete All Existing Rules
iptables --flush

//Set Default Chain Policies
iptables -P INPUT REJECT
iptables -P OUTPUT REJECT
iptables -P FORWARD REJECT

//This is the IP i want to whitelist
//I think this line doesnt work, because i cant connect BUT...
iptables -A INPUT -i eth0 -s 180.243.22.122 -j ACCEPT

//Loop here for add desired future IP

In my test nobody can connect to any port but I can attack it myself with DDoS using any UDP stresser... Why?

Answer 1

You are actively rejecting any connections by the default policy REJECT by iptables -P INPUT REJECT.

To block connections from an IP you would use DROP or REJECT instead of ACCEPT in your rule:

iptables -A INPUT -i eth0 -s 180.243.22.122 -j DROP

The problem you are experiencing is because you are rejecting all connections, and by using REJECT you will be sending an ICMP packet to the source telling it that the connection was rejected. You can instead use DROP which will not send a response. The issue with not being able to connect to any service is caused because you have not opened any incoming connections, which you could do with e.g.

iptables -A INPUT -p tcp --dport <port no.> -j ACCEPT
iptables -A INPUT -p udp --dport <port no.> -j ACCEPT

Hope this helps.

Answer 2

Three things that concern me here.

1. As others have mentioned, your policy is set to REJECT. Not even sure that's a valid target for policy---I believe it's just a target extension but double check your manpage.

The target you want is DROP. You start with something like this (make sure you are on console and not SSH since you may be disconnected and locked out):

iptables -F # Clear out chains
iptables -Z # Delete user chains
iptables -X # Reset counters

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP # Do not like this, more on that in 2nd and 3rd points

2. The way you are handling INPUT should work fine if you are only getting connections from that one IP address. However, you will be having issues establishing connection because all OUTPUT packets are being filtered. You should be doing something like this:

iptables -A INPUT -s 180.243.22.122 -j ACCEPT
iptables -A OUTPUT -d 180.243.22.122 -j ACCEPT

That being said...

3. Using DROP as your OUTPUT policy could have tons of unintended consequences. Example would be getting updates from repositories and failing DNS queries. Quite frankly, egress rules are rarely justified in my opinion. I'd do the following:

iptables -P OUTPUT ACCEPT # Replace the other policy

# This accepts all related connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

This will be saner and less of a headache.

---

Just to sum it up, this is what I'd go with:

iptables -F # Clear out chains
iptables -Z # Delete user chains
iptables -X # Reset counters

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Accept loopback
iptables -A INPUT -i lo -p all -j ACCEPT

# Accept based on state
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# IP-based exceptions
iptables -A INPUT -s 180.243.22.122 -j ACCEPT