NTP service is one of the most popular target services. Almost Linux servers install an Iptables firewall by default that we can config Iptables to detect or block NTP flooding packets. This topic shows you an example use case of Iptables for handling DoS traffic.
Example 1. Logging flood by source IP address (without limit logging rate).
In this example, we create a new firewall chain named NTP in the 1st line, append the rate limit rule to allow normal usage in the 2nd line, and log abnormal packets in the 3rd line.
iptables -N NTP
iptables -A NTP --match hashlimit --hashlimit-mode srcip --hashlimit-upto 10/sec --hashlimit-burst 20 --hashlimit-name conn_rate_limit -j ACCEPT
iptables -A NTP -j LOG --log-prefix "NTP-DoS: "
iptables -A NTP -j ACCEPT
iptables -A INPUT -p udp --dport 123 -j NTP
Example 2. Logging flood by source IP address with limit log output.
In 3rd line, we set the rate limit for logging at a rate of 1 event per second.
iptables -N NTP
iptables -A NTP --match hashlimit --hashlimit-mode srcip --hashlimit-upto 10/sec --hashlimit-burst 20 --hashlimit-name conn_rate_limit -j ACCEPT
iptables -A NTP --match hashlimit --hashlimit-mode srcip --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name log_limit -j LOG --log-prefix "NTP-DoS: "
iptables -A NTP -j ACCEPT
iptables -A INPUT -p udp --dport 123 -j NTP
Example 3. Logging and Dropping flood packet.
In the 4th line, Iptables will drop a packet that incoming packet more than a threshold in the 2nd line.
iptables -N NTP
iptables -A NTP --match match hashlimit --hashlimit-mode srcip --hashlimit-upto 10/sec --hashlimit-burst 20 --hashlimit-name conn_rate_limit -j ACCEPT
iptables -A NTP --match hashlimit --hashlimit-mode srcip --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name log_limit -j LOG --log-prefix "NTP-DoS: "
iptables -A NTP -j DROP
iptables -A INPUT -p udp --dport 123 -j NTP
Example 4. Block flood source IP address for 5 minutes with ipset
Create a blacklist source IP address set with an Ipset name NTP-BLOCK. every item added in this set will countdown from 300 seconds, and will remove when the counter is over.
ipset create NTP-BLOCK hash:ip family inet hashsize 8182 maxelem 65536 timeout 300
2nd line: Apply blocking rules with an option "-m set --match-set" with a set named "NTP-BLOCK" for the source IP address of the incoming packet.
6th line: Update item in "NTP-BLOCK" set with option "-j SET --add-set" to push source IP of a packet that matches this rule.
iptables -N NTP
iptables -A NTP -m set --match-set NTP-BLOCK src -j DROP
iptables -A NTP --match match hashlimit --hashlimit-mode srcip --hashlimit-upto 10/sec --hashlimit-burst 20 --hashlimit-name conn_rate_limit -j ACCEPT
iptables -A NTP --match hashlimit --hashlimit-mode srcip --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name log_limit -j LOG --log-prefix "NTP-DoS: "
iptables -A NTP -j SET --add-set NTP-BLOCK src
iptables -A INPUT -p udp --dport 123 -j NTP