GFW-DDOS-protection:

iptables rules to protect against GFW-prober DDOS and port scanning

motivation:

• we notice that GFW-probers sometimes flood v2ray server with thousands of simoltaneous connection
• if xray port opened without protection , sometimes number of tcp connections raise up to +50K , little after IP get blocked
• we log all IP and all requests using this tool: https://github.com/GFW-knocker/gfw_resist_http_proxy
• we identify that this behavior is due to DDOS-like attack of GFW node to probe vpn server and block them

how this protection work:

• it is set of iptables rules (firewall)
• block all ICMP/ping
• limit rate of tcp request to 20/sec per IP
• limit total established connection to 100 per IP
• port scan protection script (IP blocked for 30min if scan +5 port)

ufw rate-limit (limit 20 syn & 100 established TCP per IP)

0. open file /etc/ufw/before.rules
   
   sudo vim /etc/ufw/before.rules
   
   

1. Add those lines after *filter near the beginning of the file:
   
   :ufw-http - [0:0]

:ufw-http-logdrop - [0:0]
   

2. first change listen port below then Add those lines near the end of the file, just before the COMMIT:
   
   ### start ###

# Entry point - add your listen port here instead of 80 or 443

-A ufw-before-input -p tcp --dport 80 -j ufw-http

-A ufw-before-input -p tcp --dport 443 -j ufw-http


# Limit 100 established connections per IP

-A ufw-http -p tcp --syn -m connlimit --connlimit-above 100 --connlimit-mask 24 -j ufw-http-logdrop


# Limit 20 new connections per IP per sec

-A ufw-http -m state --state NEW -m recent --name conn_per_ip --set

-A ufw-http -m state --state NEW -m recent --name conn_per_ip --update --seconds 1 --hitcount 20 -j ufw-http-logdrop


# Finally accept

-A ufw-http -j ACCEPT


# Log

-A ufw-http-logdrop -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW HTTP DROP] "

-A ufw-http-logdrop -j DROP

### end ###
   
   

3. replace ICMP ACCEPT with DROP
   
   # ok icmp codes for INPUT

-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP

-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP

-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP

-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

# ok icmp code for FORWARD

-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j DROP

-A ufw-before-forward -p icmp --icmp-type time-exceeded -j DROP

-A ufw-before-forward -p icmp --icmp-type parameter-problem -j DROP

-A ufw-before-forward -p icmp --icmp-type echo-request -j DROP
   
   

4. reload ufw:
   
   sudo ufw reload
   

PortScan Protection (scan 5 port within 1 min -> block 30 min):

• set permission:
  
  chmod +x iptables_portscan_protection.sh
  
• run with root user:
  
  ./iptables_portscan_protection.sh
  
• rules applied immidiately but you need to run this after every restart
  

iptables user manual:

• https://web.mit.edu/rhel-doc/4/RH-DOCS/rhel-rg-en-4/s1-iptables-options.html
• https://bookofzeus.com/harden-ubuntu/hardening/protect-ddos-attacks/
• https://javapipe.com/blog/iptables-ddos-protection/

usefull commands

ipset list

ipset list port_scanners

ipset flush

ipset destroy

ufw allow 80/tcp

ufw delete allow 80/tcp

iptables -L INPUT -v

iptables -S

usefull path

/etc/ufw/

/var/log/ufw.log

/var/log/nginx/access.log

/etc/nginx/sites-available/

/var/www/html/

/etc/x-ui/x-ui.db

/usr/local/x-ui/access.log