[root@WX020 firewall]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i em2 -j ACCEPT
-A INPUT -i em1 -j ACCEPT
-A INPUT -p tcp –dport 80 -m connlimit –connlimit-above 10 -j DROP
-A INPUT -p tcp –dport 80 –syn -m recent –name webpool –rcheck –seconds 50 –hitcount 10 -j LOG –log-prefix ‘DDOS:’ –log-ip-options
-A INPUT -p tcp –dport 80 –syn -m recent –name webpool –rcheck –seconds 50 –hitcount 10 -j DROP
-A INPUT -p tcp –dport 80 –syn -m recent –name webpool –set -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT
#允许单个IP的最大连接数为30
iptables -I INPUT -i em1 -p tcp –dport 80 -m connlimit –connlimit-above 10 -j DROP
iptables -A INPUT -i em2 -p tcp –dport 80 -m recent –name BAD_HTTP_ACCESS –update –seconds 60 –hitcount 30 -j REJECT
iptables -A INPUT -i em2 -p tcp –dport 80 -m recent –name BAD_HTTP_ACCESS –set -j ACCEPT
netstat -ant | grep “EST” | grep -v “22000” | awk ‘{print $5}’ | grep -v “^10” | cut -d “:” -f1 | sort | uniq -c | sort -nr | awk ‘$1 > 4 {print $1,$2}’
