Related

input requests Monitoring Question Question
Postfix not receiving mail and not finding any error messages. Question Question

Question

Convert IP tables rules into UFW

Posted March 5, 2015 5.7k views
Linux BasicsSecurityDebianLogging

Hi guys.
Can anyone tell me exactly how this rule would translate into UFW:

Outbound UDP Flood protection in a user defined chain.

iptables -N udp-flood
iptables -A OUTPUT -p udp -j udp-flood
iptables -A udp-flood -p udp -m limit –limit 50/s -j RETURN
iptables -A udp-flood -j LOG –log-level 4 –log-prefix ‘UDP-flood attempt: ’
iptables -A udp-flood -j DROP

It is to prevent massive UDP flood attacks on our server. At the moment I have a rule that simply blocks all ports apart from some specific service ports I need open. However, this is too restrictive.

My current rule :
-A ufw-after-output -p udp -j DROP

Thanks for any help!

Add a comment
msnorm
By:
msnorm
Add a comment
1 comment
  • ryanpq March 5, 2015
    Reply Report

    It is important to note that blocking large UDP floods at your droplet in software will likely not resolve the underlying problems. Your droplet will still need to refuse requests but more importantly, large inbound attacks can result in your droplet’s IP address being blackholed to prevent issues for other users on the network. If you believe you will be the target of this type of attack we recommend using a third party service (like CloudFlare for http) to provide DDoS protection.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer
msnorm March 5, 2015

Thank you for the quick response. :)

The floods are not inbound they are outbound which is why I have set a rule to deny all outbound UDP packets. I already have been the target of such attacks and setting the above UFW rule has solved the problem, ie stopped the UDP floods, but because it’s too restrictive it has caused problems with some of the software I run.

First of all I can see a foreign ip port scanning my ip, then many UDP Fragment (1500) from <ip> to <ip> on eth0.

I don’t think cloudflare will help as I don’t run a public website that someone might think to attack.

Any suggestions how I can convert the rate limit rule to a UFW format?

Thanks.

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help