nftables实现简单的DDOS攻击防护的规则

nftables实现简单的DDOS攻击防护的规则

# Declare the base chain for incoming connections to the Minecraft server
chain input {
  type filter hook input priority 0;

  # Accept incoming connections from the local network
  iifname "eth0" accept

  # Reject connections that use reserved or private IP addresses
  ip saddr 127.0.0.0/8 counter reject
  ip saddr 10.0.0.0/8 counter reject
  ip saddr 172.16.0.0/12 counter reject
  ip saddr 192.168.0.0/16 counter reject

  # Reject connections that use invalid or spoofed IP addresses
  ip option drop

  # Limit the rate of incoming connections from a single IP address
  ip limit rate 25/minute counter

  # Reject incoming connections that use a reserved or private port number
  tcp dport 0-1023 counter reject

  # Accept incoming connections to the Minecraft server on port 25565
  tcp dport 25565 accept
}

# Declare the base chain for outgoing connections from the Minecraft server
chain output {
  type filter hook output priority 0;

  # Accept outgoing connections to the local network
  oifname "eth0" accept

  # Reject connections that use reserved or private IP addresses
  ip daddr 127.0.0.0/8 counter reject
  ip daddr 10.0.0.0/8 counter reject
  ip daddr 172.16.0.0/12 counter reject
  ip daddr 192.168.0.0/16 counter reject

  # Reject connections that use invalid or spoofed IP addresses
  ip option drop

  # Limit the rate of outgoing connections to a single IP address
  ip limit rate 25/minute counter

  # Reject outgoing connections that use a reserved or private port number
  tcp sport 0-1023 counter reject

  # Accept outgoing connections from the Minecraft server on port 25565
  tcp sport 25565 accept
}

# Declare the chain for blocking malicious connections to the Minecraft server
chain block {
  type filter hook input priority 100;

  # Reject incoming connections that use a fake session
  ct state invalid counter reject

  # Reject incoming connections that use a query flood
  ct state new limit rate 15/minute counter reject

  # Reject incoming connections that use a bot attack
  ct state new limit rate 5/second counter reject
}

代码来源：https://github.com/Alexitru/nftables-minecraft-ddos-mitigation/blob/main/nftables.conf