Answer the question
In order to leave comments, you need to log in
I
I
Igor Petrov2017-02-08 09:41:46
Igor Petrov, 2017-02-08 09:41:46
How to make iptables+synproxy and forwarding to ipip tunnel work?
The meaning is the following, there is one machine with sufficient resources to beat off the syn-flood, traffic from it is sent through the gre-tunnel to another machine. With some simple rules:
iptables -A POSTROUTING -t nat -p tcp -s 192.168.168.0/30 -j SNAT --to-source 192.168.0.1
iptables -t nat -A PREROUTING -p tcp -d 192.168.0.1 -j DNAT --to-destination 192.168.168.2
iptables -A FORWARD -d 192.168.168.2 -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT traffic will fly into the tunnel.
Synproxy should help for this:
iptables -t raw -I PREROUTING -i eth0 -p tcp -m tcp --syn --dport 80 -j CT --notrack
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
iptables -A INPUT - m state --state INVALID -j DROP
But the problem is that when you use these rules, traffic stops entering the tunnel. The question is how to filter the flood and send only pure traffic to the tunnel?
Similar questions
K
Y
D
A
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question