GFW-DDOS-protection:

iptables rules to protect against GFW-prober DDOS and port scanning

motivation:

• we notice that GFW-probers sometimes flood v2ray server with thousands of simoltaneous connection
• if xray port opened without protection , sometimes number of tcp connections raise up to +50K , little after IP get blocked
• we log all IP and all requests using this tool: https://github.com/GFW-knocker/gfw_resist_http_proxy
• we identify that this behavior is due to DDOS-like attack of GFW node to probe vpn server and block them

how this protection work:

• it is set of iptables rules (firewall)
• block all ICMP/ping
• limit rate of tcp request to 20/sec per IP
• limit total established connection to 100 per IP
• port scan protection script (IP blocked for 30min if scan +5 port)

ufw rate-limit (limit 20 syn & 100 established TCP per IP)

0. open file /etc/ufw/before.rules
   sudo vim /etc/ufw/before.rules
   
   

1. Add those lines after *filter near the beginning of the file:
   :ufw-http - [0:0]
:ufw-http-logdrop - [0:0]
   

2. first change listen port below then Add those lines near the end of the file, just before the COMMIT:
   ### start ###
# Entry point - add your listen port here instead of 80 or 443
-A ufw-before-input -p tcp --dport 80 -j ufw-http
-A ufw-before-input -p tcp --dport 443 -j ufw-http

# Limit 100 established connections per IP
-A ufw-http -p tcp --syn -m connlimit --connlimit-above 100 --connlimit-mask 24 -j ufw-http-logdrop

# Limit 20 new connections per IP per sec
-A ufw-http -m state --state NEW -m recent --name conn_per_ip --set
-A ufw-http -m state --state NEW -m recent --name conn_per_ip --update --seconds 1 --hitcount 20 -j ufw-http-logdrop

# Finally accept
-A ufw-http -j ACCEPT

# Log
-A ufw-http-logdrop -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW HTTP DROP] "
-A ufw-http-logdrop -j DROP
### end ###
   
   

3. replace ICMP ACCEPT with DROP
   # ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-forward -p icmp --icmp-type echo-request -j DROP
   
   

4. reload ufw:
   sudo ufw reload
   

PortScan Protection (scan 5 port within 1 min -> block 30 min):

• set permission:
  chmod +x iptables_portscan_protection.sh
  
• run with root user:
  ./iptables_portscan_protection.sh
  
• rules applied immidiately but you need to run this after every restart
  

iptables user manual:

• https://web.mit.edu/rhel-doc/4/RH-DOCS/rhel-rg-en-4/s1-iptables-options.html
• https://bookofzeus.com/harden-ubuntu/hardening/protect-ddos-attacks/
• https://javapipe.com/blog/iptables-ddos-protection/

usefull commands

ipset list
ipset list port_scanners
ipset flush
ipset destroy
ufw allow 80/tcp
ufw delete allow 80/tcp
iptables -L INPUT -v
iptables -S

usefull path

/etc/ufw/
/var/log/ufw.log
/var/log/nginx/access.log
/etc/nginx/sites-available/
/var/www/html/
/etc/x-ui/x-ui.db
/usr/local/x-ui/access.log