This repository contains guidelines and commands for optimizing server settings to prevent flooding and improve performance. it is suggested to whitelist ip's which are necessary to avoid them get flagged
modprobe ip_conntrack
sysctl -q -w net.ipv4.tcp_synack_retries=1
sysctl -q -w net.ipv4.tcp_syncookies=1
sysctl -q -w net.ipv4.tcp_timestamps=1
sysctl -q -w net.netfilter.nf_conntrack_max=10000000
sysctl -q -w net.netfilter.nf_conntrack_tcp_loose=0#Step 2: Changing user files and maximum user processes
ulimit -n 999999
^open files - try the highest which you can set
ulimit -u 999999
^ user proc - try the highest which you can set
ulimit unlimitedIn most cases, these adjustments should mitigate rejection/dropping of incoming connections due to flooding. However, if your server experiences increased CPU usage or lag, additional steps might be necessary.
#Step 3: Setup + Iptables - TCP options
Install iptables if not already installed:
apt-get install iptablesAdjust TCP options using iptables for better traffic control:
# Usage of TCP options
# --tcp-option 4 = SACK Permitted
# --tcp-option 5 = SACK
# --tcp-option 8 = Timestamp for handshakes
# Example rules
iptables -t raw -A PREROUTING -p tcp -m tcp --tcp-option 8 -j DROP
iptables -t raw -A PREROUTING -p tcp -m tcp --tcp-option 5 -j DROP
iptables -t raw -A PREROUTING -p tcp -m tcp --tcp-option 4 -j RETURN
#Accept established traffic
iptables -t raw -A PREROUTING -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t raw -A PREROUTING -i lo -j ACCEPT
iptables -t mangle -A PREROUTING -i tun+ -j ACCEPT
#Step 4: Extra - Iptables - DROP Completely Socket Floods
apt install ipset -y
ipset create blocked hash:ip timeout 180000
iptables -t raw -A PREROUTING -p tcp -m tcp -m set --match-set blocked src -j DROP
# Additional HTTP blocking methods (customize to your needs)
# Method (1): Blocks all HTTP request methods on each port
iptables -t raw -A PREROUTING -p tcp --dport 1:65535 -m string --algo bm --string 'HTTP' -j SET --add-set blocked src
# Method (2): Blocks specific HTTP versions on each port
iptables -t raw -A PREROUTING -p tcp --dport 1:65535 -m string --algo bm --string 'HTTP/1.1' -j SET --add-set blocked src
iptables -t raw -A PREROUTING -p tcp --dport 1:65535 -m string --algo bm --string 'HTTP/1.2' -j SET --add-set blocked src
# Additional rules (customize as needed)
# Block Packets From Private Subnets (Spoofing)
iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
# Block Invalid Packets
iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
# Simple rate limit - ratelimits over than 4 established connections by 1 source-ip "Replace Destinaton-Port(--dport) to you needings"
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 1:65535 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 4 --connlimit-mask 32 --connlimit-saddr -j DROPBe Sure to use too a Hosting that is already set-up with a good firewall just like https://solia.cloud - IPtables are not made to filter/stop DDoS Attacks they can just help a little bit.