Skip to content

xiaosuo/ipt_SYNPROXY

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

74 Commits
src
src
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
TODO
TODO
 
 

Repository files navigation

ipt_SYNPROXY

It is an implementation of SYNPROXY based on netfilter of Linux. An iptables raw target SYNPROXY is implemented.

In order to use it, you must get the newest Linux kernel source code, and follow the following steps:

cd linux
patch -p1 < path-to-synproxy.diff
/* you need select raw table, ip_conntrack and syncookies */
make && make install modules_install && reboot
cd path-to-synproxy
make
cp libipt_SYNPROXY.so path-to-iptables-shared-module
insmod ipt_SYNPROXY.ko

If there isn't any error in the above steps, congratulations, and you can play with it.

For example, you want to protect the local HTTP server from the SYN-flood attacks:

iptables -t raw -A PREROUTING -p tcp --dport 80 \
	--tcp-flags SYN,ACK,RST,FIN SYN \
	-m conntrack --ctstate INVALID -j SYNPROXY

If you run SYNPROXY on a gateway which does DNAT, you should move the DNAT rules from PREROUTING to OUTPUT chain, because the second SYN to the server is sent locally.

About

An implementation of SYNPROXY as an iptables target

Resources

Readme
Activity

Stars

12 stars

Watchers

4 watching

Forks

8 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages