Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
litespeed_wiki:lslb:anti-ddos-firewall [2019/12/05 02:19] qtwrk |
litespeed_wiki:lslb:anti-ddos-firewall [2019/12/05 02:40] qtwrk |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ===== How to use firewall together with LiteSpeed ADC for Anti-DDoS. ===== | + | ===== How to use ConfigServer Security Firewall or Iptables together with LiteSpeed ADC for Anti-DDoS. ===== |
- | LiteSpeed ADC Anti-DDoS feature can modify firewall via ''ifconfig'' and ''ipset'' to block suspicious IP(s), this is guide for how to integrate LiteSpeed ADC's Anti-DDoS feature with server firewall (iptables, csf and firewalld) | + | LiteSpeed ADC Anti-DDoS feature can modify firewall via ''ifconfig'' and ''ipset'' to block suspicious IP(s), this is guide for how to integrate LiteSpeed ADC's Anti-DDoS feature with server firewall (iptables or csf) |
Line 12: | Line 12: | ||
{{ :litespeed_wiki:lslb:adc-anti-ddos1.jpg |}} | {{ :litespeed_wiki:lslb:adc-anti-ddos1.jpg |}} | ||
- | ==== Firewalld configuration ==== | + | ==== Iptables configuration ==== |
- | <code>ipset create ls-anti-ddos hash:ip hashsize 4096 | + | For iptables , run below commands to set up list and rules. |
- | ipset create ls-quic-ports bitmap:port range 0-65535 -exist</code> | + | |
+ | <code> | ||
+ | ipset create ls-anti-ddos hash:ip hashsize 4096 | ||
+ | ipset create ls-quic-ports bitmap:port range 0-65535 -exist | ||
+ | iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP | ||
+ | iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP | ||
+ | iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</code> | ||
- | ==== ConfigServer Security & Firewall and Iptables configuration ==== | + | |
+ | ==== ConfigServer Security & Firewall configuration ==== | ||
For csf, create file ''/etc/csf/csfpost.sh'' with content: | For csf, create file ''/etc/csf/csfpost.sh'' with content: | ||
Line 30: | Line 36: | ||
and then reload it by command ''csf -r'' | and then reload it by command ''csf -r'' | ||
- | |||
- | for iptables , run above two ''ipset'' commands and three ''iptablets'' commands to create the list and block rule. | ||
- | |||
- | |||
==== Verify Ipset ==== | ==== Verify Ipset ==== |