Drop first packet with iptables

Question

Our servers are getting UDP-flood spoofed ip attacks. I think, we can solve this problem with iptables and i want to make a rule with iptables.

When a ip tried to send a udp packet, iptables will block this. And after this first packet, for 10 secs. other packets will be accept.

How can i make this with iptables?

Please, post your current iptables rules. – Khaled Jan 29 '17 at 08:15 — Khaled, Jan 29 '17 at 08:15
I haven't any iptables rule now.. – impossible Jan 29 '17 at 08:33 — impossible, Jan 29 '17 at 08:33

score 2 · Answer 1 · answered Jan 29 '17 at 08:53

Try

iptables -A INPUT -p udp [--dport 12345] -m recent --name attack --set
iptables -A INPUT -p udp [--dport 12345] -m recent --name attack --rcheck --seconds 10 --hitcount 2 -j ACCEPT
iptables -A INPUT -p udp [--dport 12345] -j DROP

This should permit the second and subsequent packets from any given address in a rolling ten-second window; others will be DROPped. As usual, getting them in the right place in your existing ruleset is both vitally important and your problem. If you aren't restricting this by port, make very sure you don't lock out DNS responses (and other udp-based responses you may consider desirable).

Drop first packet with iptables

1 Answers1