Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
litespeed_wiki:lslb:anti-ddos-firewall [2019/12/05 02:08] qtwrk |
litespeed_wiki:lslb:anti-ddos-firewall [2019/12/05 02:39] qtwrk |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ===== How to use firewall together with LiteSpeed ADC for Anti-DDoS. ===== | + | ===== How to use ConfigServer Security Firewall or Iptables together with LiteSpeed ADC for Anti-DDoS. ===== |
LiteSpeed ADC Anti-DDoS feature can modify firewall via ''ifconfig'' and ''ipset'' to block suspicious IP(s), this is guide for how to integrate LiteSpeed ADC's Anti-DDoS feature with server firewall (iptables, csf and firewalld) | LiteSpeed ADC Anti-DDoS feature can modify firewall via ''ifconfig'' and ''ipset'' to block suspicious IP(s), this is guide for how to integrate LiteSpeed ADC's Anti-DDoS feature with server firewall (iptables, csf and firewalld) | ||
Line 12: | Line 12: | ||
{{ :litespeed_wiki:lslb:adc-anti-ddos1.jpg |}} | {{ :litespeed_wiki:lslb:adc-anti-ddos1.jpg |}} | ||
+ | ==== Iptables configuration ==== | ||
+ | |||
+ | <code> | ||
+ | ipset create ls-anti-ddos hash:ip hashsize 4096 | ||
+ | ipset create ls-quic-ports bitmap:port range 0-65535 -exist | ||
+ | iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP | ||
+ | iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP | ||
+ | iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</code> | ||
- | ==== ConfigServer Security & Firewall and Iptables configuration ==== | + | ==== ConfigServer Security & Firewall configuration ==== |
For csf, create file ''/etc/csf/csfpost.sh'' with content: | For csf, create file ''/etc/csf/csfpost.sh'' with content: | ||
Line 27: | Line 35: | ||
and then reload it by command ''csf -r'' | and then reload it by command ''csf -r'' | ||
- | for iptables , run above two ''ipset'' commands and three ''iptablets'' commands to create the list and block rule. | + | ==== Verify Ipset ==== |
verify if the script works as intent by checking with ''ipset list'', now there should be 2 blocks **ls-anti-ddos** and **ls-quic-ports** | verify if the script works as intent by checking with ''ipset list'', now there should be 2 blocks **ls-anti-ddos** and **ls-quic-ports** | ||
<code>[root@test]# ipset list | <code>[root@test]# ipset list | ||
- | Name: chain_DENY | + | ... |
- | Type: hash:net | + | ... |
- | Revision: 3 | + | |
- | Header: family inet hashsize 1024 maxelem 65536 | + | |
- | Size in memory: 16784 | + | |
- | References: 2 | + | |
- | Members: | + | |
- | + | ||
- | Name: chain_ALLOW | + | |
- | Type: hash:net | + | |
- | Revision: 3 | + | |
- | Header: family inet hashsize 1024 maxelem 65536 | + | |
- | Size in memory: 16784 | + | |
- | References: 2 | + | |
- | Members: | + | |
Name: ls-anti-ddos | Name: ls-anti-ddos | ||
Type: hash:ip | Type: hash:ip |