Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
litespeed_wiki:lslb:anti-ddos-firewall [2019/12/05 02:17] qtwrk |
litespeed_wiki:lslb:anti-ddos-firewall [2019/12/05 02:40] qtwrk |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ===== How to use firewall together with LiteSpeed ADC for Anti-DDoS. ===== | + | ===== How to use ConfigServer Security Firewall or Iptables together with LiteSpeed ADC for Anti-DDoS. ===== |
| - | LiteSpeed ADC Anti-DDoS feature can modify firewall via ''ifconfig'' and ''ipset'' to block suspicious IP(s), this is guide for how to integrate LiteSpeed ADC's Anti-DDoS feature with server firewall (iptables, csf and firewalld) | + | LiteSpeed ADC Anti-DDoS feature can modify firewall via ''ifconfig'' and ''ipset'' to block suspicious IP(s), this is guide for how to integrate LiteSpeed ADC's Anti-DDoS feature with server firewall (iptables or csf) |
| Line 12: | Line 12: | ||
| {{ :litespeed_wiki:lslb:adc-anti-ddos1.jpg |}} | {{ :litespeed_wiki:lslb:adc-anti-ddos1.jpg |}} | ||
| - | ==== Firewalld configuration ==== | + | ==== Iptables configuration ==== |
| - | ==== ConfigServer Security & Firewall and Iptables configuration ==== | + | For iptables , run below commands to set up list and rules. |
| + | |||
| + | <code> | ||
| + | ipset create ls-anti-ddos hash:ip hashsize 4096 | ||
| + | ipset create ls-quic-ports bitmap:port range 0-65535 -exist | ||
| + | iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP | ||
| + | iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP | ||
| + | iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</code> | ||
| + | |||
| + | |||
| + | ==== ConfigServer Security & Firewall configuration ==== | ||
| For csf, create file ''/etc/csf/csfpost.sh'' with content: | For csf, create file ''/etc/csf/csfpost.sh'' with content: | ||
| Line 27: | Line 37: | ||
| and then reload it by command ''csf -r'' | and then reload it by command ''csf -r'' | ||
| - | for iptables , run above two ''ipset'' commands and three ''iptablets'' commands to create the list and block rule. | + | ==== Verify Ipset ==== |
| verify if the script works as intent by checking with ''ipset list'', now there should be 2 blocks **ls-anti-ddos** and **ls-quic-ports** | verify if the script works as intent by checking with ''ipset list'', now there should be 2 blocks **ls-anti-ddos** and **ls-quic-ports** | ||
| <code>[root@test]# ipset list | <code>[root@test]# ipset list | ||
| - | Name: chain_DENY | + | ... |
| - | Type: hash:net | + | ... |
| - | Revision: 3 | + | |
| - | Header: family inet hashsize 1024 maxelem 65536 | + | |
| - | Size in memory: 16784 | + | |
| - | References: 2 | + | |
| - | Members: | + | |
| - | + | ||
| - | Name: chain_ALLOW | + | |
| - | Type: hash:net | + | |
| - | Revision: 3 | + | |
| - | Header: family inet hashsize 1024 maxelem 65536 | + | |
| - | Size in memory: 16784 | + | |
| - | References: 2 | + | |
| - | Members: | + | |
| Name: ls-anti-ddos | Name: ls-anti-ddos | ||
| Type: hash:ip | Type: hash:ip | ||