I need to REJECT first incoming UDP packet by srcip

Question

Im currently under attack by spoofed udp packets. Every spoofed ip trying to send just 1 udp packet in 30sec. But there is tons of ip.

I need to drop first packet. But if same srcip in 30sec sends another packet i want to accept it.

-A INPUT -d <myip> -p udp --dport <myport> -m hashlimit --hashlimit-upto 1/min --hashlimit-mode srcip --hashlimit-name mmmm -j DROP

Tried this but didnt helped..

Try to use recent module in iptables. – Navern Sep 01 '15 at 11:26 — Navern, Sep 01 '15 at 11:26

score 1 · Accepted Answer · answered Sep 01 '15 at 12:11

As mentioned. Probably "recent" is your best bet. Adjust as needed:

iptables -N SPOOF
iptables -A SPOOF -m recent --rcheck --seconds 30 -j ACCEPT
iptables -A SPOOF -m recent --set -j DROP


iptables -A INPUT -p udp --dport <myport> -j SPOOF

This creates a new table "SPOOF" and sends the appropriate matched incoming UDP packets to it. If that host has sent a packet within the last 30 seconds then it gets accepted, otherwise drop it.

I need to REJECT first incoming UDP packet by srcip

1 Answers1