Convert IP tables rules into UFW

March 5, 2015 1.5k views
Security Logging Linux Basics Debian

Hi guys.
Can anyone tell me exactly how this rule would translate into UFW:

Outbound UDP Flood protection in a user defined chain.

iptables -N udp-flood
iptables -A OUTPUT -p udp -j udp-flood
iptables -A udp-flood -p udp -m limit --limit 50/s -j RETURN
iptables -A udp-flood -j LOG --log-level 4 --log-prefix 'UDP-flood attempt: '
iptables -A udp-flood -j DROP

It is to prevent massive UDP flood attacks on our server. At the moment I have a rule that simply blocks all ports apart from some specific service ports I need open. However, this is too restrictive.

My current rule :
-A ufw-after-output -p udp -j DROP

Thanks for any help!

1 comment
  • It is important to note that blocking large UDP floods at your droplet in software will likely not resolve the underlying problems. Your droplet will still need to refuse requests but more importantly, large inbound attacks can result in your droplet's IP address being blackholed to prevent issues for other users on the network. If you believe you will be the target of this type of attack we recommend using a third party service (like CloudFlare for http) to provide DDoS protection.

1 Answer

Thank you for the quick response. :)

The floods are not inbound they are outbound which is why I have set a rule to deny all outbound UDP packets. I already have been the target of such attacks and setting the above UFW rule has solved the problem, ie stopped the UDP floods, but because it's too restrictive it has caused problems with some of the software I run.

First of all I can see a foreign ip port scanning my ip, then many UDP Fragment (1500) from <ip> to <ip> on eth0.

I don't think cloudflare will help as I don't run a public website that someone might think to attack.

Any suggestions how I can convert the rate limit rule to a UFW format?


Have another answer? Share your knowledge.