Hello, i have bad experience regarding Outgoing UDP flood.
If i put UDP flood rules on HOST server, they cover also GUEST ( Openvz, LXC, KVM ) VPS ?
My RULES in init.d script:
------------------------------------------------------------------
#!/bin/sh
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $network $remote_fs $syslog
# Required-Stop:
# Default-Start: S
# Default-Stop:
# Short-Description: Activate iptables.
### END INIT INFO
WAN="eth1"
LAN="eth0"
case "$1" in
start)
echo "STRATING FIREWALL"
PATH='/sbin'
## INIT
# Flush previous rules, delete chains and reset counters
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
# Outbound UDP Flood protection in a user defined chain.
/sbin/iptables -N udp-flood
/sbin/iptables -A OUTPUT -p udp -j udp-flood
/sbin/iptables -A udp-flood -p udp -m limit --limit 50/s -j RETURN
/sbin/iptables -A udp-flood -j LOG --log-level 4 --log-prefix 'UDP-flood attempt: '
/sbin/iptables -A udp-flood -j DROP
# allow dns requests to google nameservers
/sbin/iptables -A OUTPUT -p udp --dport 53 -d 8.8.8.8 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 53 -d 8.8.4.4 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 53 -d 85.18.200.200 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 53 -d 89.97.140.140 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
# block all other udp
/sbin/iptables -A OUTPUT -p udp -j DROP
/sbin/ip6tables -A OUTPUT -p udp -j DROP
;;
stop)
echo "Stopping FIREWALL Flush previous rules, delete chains and reset counters"
# Flush previous rules, delete chains and reset counters
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
# Default policies
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
echo "FIREWALL STOPPED"
iptables -L
iptables -t nat -L -nv
;;
restart)
echo "Restarting Firewall"
/etc/init.d/firewall stop;
/etc/init.d/firewall start;
;;
status)
iptables -L -x -v -n --line-numbers
iptables -L -x -v -n -t nat --line-numbers
;;
*)
echo "Usage: /etc/init.dfirewall {start|stop}"
exit 1
;;
esac
exit 0
---------------------------------------------------------------------------------------------
If i put UDP flood rules on HOST server, they cover also GUEST ( Openvz, LXC, KVM ) VPS ?
My RULES in init.d script:
------------------------------------------------------------------
#!/bin/sh
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $network $remote_fs $syslog
# Required-Stop:
# Default-Start: S
# Default-Stop:
# Short-Description: Activate iptables.
### END INIT INFO
WAN="eth1"
LAN="eth0"
case "$1" in
start)
echo "STRATING FIREWALL"
PATH='/sbin'
## INIT
# Flush previous rules, delete chains and reset counters
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
# Outbound UDP Flood protection in a user defined chain.
/sbin/iptables -N udp-flood
/sbin/iptables -A OUTPUT -p udp -j udp-flood
/sbin/iptables -A udp-flood -p udp -m limit --limit 50/s -j RETURN
/sbin/iptables -A udp-flood -j LOG --log-level 4 --log-prefix 'UDP-flood attempt: '
/sbin/iptables -A udp-flood -j DROP
# allow dns requests to google nameservers
/sbin/iptables -A OUTPUT -p udp --dport 53 -d 8.8.8.8 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 53 -d 8.8.4.4 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 53 -d 85.18.200.200 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 53 -d 89.97.140.140 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
# block all other udp
/sbin/iptables -A OUTPUT -p udp -j DROP
/sbin/ip6tables -A OUTPUT -p udp -j DROP
;;
stop)
echo "Stopping FIREWALL Flush previous rules, delete chains and reset counters"
# Flush previous rules, delete chains and reset counters
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
# Default policies
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
echo "FIREWALL STOPPED"
iptables -L
iptables -t nat -L -nv
;;
restart)
echo "Restarting Firewall"
/etc/init.d/firewall stop;
/etc/init.d/firewall start;
;;
status)
iptables -L -x -v -n --line-numbers
iptables -L -x -v -n -t nat --line-numbers
;;
*)
echo "Usage: /etc/init.dfirewall {start|stop}"
exit 1
;;
esac
exit 0
---------------------------------------------------------------------------------------------