Tutorial 2 NFO Servers SoftEther VPN Protect from DDOS

[ipengineer78]

Hello,

I am a new user of the software but I am glad I found it, what an amazing job your company has done on this software I could not be happier with its features.

I have created two tutorials on the software. I was looking for a solution to my issues and had no idea your software existed. I came across a random forum post in the

search of a resolution to my problem that had a link to your web site.

Tutorial 2
NFO Servers SoftEther VPN Protect yourself from DDOS streaming on twitch.tv or while Gaming
https://www.youtube.com/watch?v=CQAHO5BQ9Cg

I will post Tutorial 2 in a second thread just in case someone is using the search feature in the forum they can land on the individual forum threads.

Thanks again! Your time and effort are greatly appreciated! Keep up the fantastic work!

Link to Tutorial 1 http://www.vpnusers.com/viewtopic.php?f=7&t=6441

Sincerely,
ipengineer78

[arad.ralami]

How can I achieve a open NAT type though soft ether? I got a strict doing this and my VPN won’t authenticate unless NAT and DHCP is enabled for some reason.

[cmd wh0ami]

iptables for ddos

Code: Select all

#Drop invalid packets 
/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP  

#Drop TCP packets that are new and are not SYN
iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP 
 
#Drop SYN packets with suspicious MSS value 
iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP  

# Block packets with bogus TCP flags 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP  

#Block spoofed packets
iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP 
iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP 
iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP 
iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP 
iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP 
iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP 
iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP 
iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP 
iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP  

#Drop ICMP (you usually don't need this protocol)
iptables -t mangle -A PREROUTING -p icmp -j DROP  

#Drop fragments in all chains ### 
iptables -t mangle -A PREROUTING -f -j DROP  

#Limit connections per source IP 
iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset  

#Limit RST packets
iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT 
iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP  

#Limit new TCP connections per second per source IP ### 
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT 
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP

# SSH brute-force protection
 iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set 
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP  

# Protection against port scanning
iptables -N port-scanning 
iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN 
iptables -A port-scanning -j DROP