1

I would like to drop all UDP traffic (everything else is allowed) while still allowing outbound UDP traffic. The outbound traffic is mainly from gaming and voip calls. The UDP traffic needs to be blocked as the ISP (ovh) does not filter UDP based ddos attacks. They only filter TCP based ddos attacks. This was confirmed with a short phone call to them. That being said I need a way to block UDP to avoid DDOS attacks utilizing the UDP protocol from becoming successful while still allowing the outbound traffic. This will be done on a VPS Server at OVH running a VPN Server (OpenVPN TCP Port 443). Is there a set of rules I could add into iptables to accomplish this?

  • Why doesn't a standard stateful firewall suggested by almost every standard firewall guide do what you want? Permit outgoing NEW packets, and ESTABLISHED,RELATED incoming packets, then any other things. In any case the problem with most DDoS attacks is the bandwidth usage. By the time it gets to your system to be firewalled it is too late. Your bandwidth was already used. – Zoredache Nov 28 '16 at 04:28
  • UDP is not stateful, so ESTABLISHED,RELATED doesn't work in case of UDP traffic. Simply there are no TCP sequence numbers to track. – Dmitry Zayats Nov 28 '16 at 05:25
  • Apparently, I was wrong. It works, well sort of. http://www.iptables.info/en/connection-state.html#UDPCONNECTIONS – Dmitry Zayats Nov 28 '16 at 05:39

1 Answers1

1

While blocking all incoming UDP is pretty simple:

iptables -A INPUT -p udp -s 0.0.0.0/0 -d your_ip_range -m state --state NEW -j DROP

you may want to consider giving a look to the:

Service Name and Transport Protocol Port Number Registry

to see which UDP services you may need to allow through.

SteDf
  • 56
  • 3
  • If you cut all incoming UDP traffic - then your outgoing UDP traffic doesn't make sense (as you will never get a reply). Instead as suggested in the comment to the original question connection tracking should be used and allow only ESTABLISHED,RELATED connections. – Dmitry Zayats Nov 28 '16 at 05:43
  • Please correct me if I'm wrong, but dropping the packets on NEW connections will ensure that any ESTABLISHED or RELATED connection will be accepted. – SteDf Nov 28 '16 at 07:07
  • You are right. Didn't notice state in your post. However if you are doing this `-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT` extra rule to block UDP in state NEW will not be needed. – Dmitry Zayats Nov 28 '16 at 08:04
  • I think you are assuming that iptables is set to DROP all the INPUT chain while I assume that is set to ACCEPT, since never specified otherwise. – SteDf Nov 28 '16 at 09:10
  • ` -s 0.0.0.0/0` is useless. Moreover `d your_ip_range` is not that useful as well because you are in the INPUT chain: instead, I'd prepend `iptables -A INPUT -i lo -j ACCEPT`. – ysdx Dec 03 '16 at 22:51