Thursday 11 August 2016

Enhance your DD-WRT security with additional iptables rules

This howto will help you to block some of most TCP-based DDoS attcks. Although ddwrt has very good firewall it does not hurt to add some extra rules as long as you know what are you doing.
iptables -t mangle -I PREROUTING -m conntrack --ctstate INVALID -j DROP
This rule blocks all packets that are not a SYN packet and don't belong to an established TCP connection.
iptables -t mangle -I PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
This blocks all packets that aren't new (don't belong to an established connection) and don't use SYN flag. This rule is similar to the above rule but I found that it catches some packets that other ones doesn't.

iptables -t mangle -I PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
The above rule blocks new packets (only SYN packets can be new packets) that use a TCP MSS value that is not common.


To chek if you caught something do from CLI
iptables -vnL -t mangle

No comments:

Post a Comment

How to block Viber ads on DD-WRT router

Rakuten Viber introduced commercials in newer verions of their app so users became products. Often , ads are displayed aggressively a...