李子

利用IPIP隧道进行DDOS过滤
高防鸡:91.121.255.214 ddos保护IP31.21.25.14 无防御IP被保护鸡(目标IP):18...
扫描右侧二维码阅读全文
05
2018/12

利用IPIP隧道进行DDOS过滤

高防鸡:
91.121.255.214 ddos保护IP
31.21.25.14 无防御IP
被保护鸡(目标IP):
185.72.66.69

modprobe ipip  
modprobe ip_gre  
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p

IPIP隧道建立
高防鸡:

#iptunnel add ipip1 mode ipip local YOUR_FILTERED_IP remote DESTINATION_SERVER_IP ttl 255
iptunnel add ipip1 mode ipip local 91.121.255.214 remote 185.172.66.69 ttl 255
ip addr add 192.168.168.1/30 dev ipip1
ip link set ipip1 up

被保护鸡:

iptunnel add ipip1 mode ipip local DESTINATION_SERVER_IP remote YOUR_FILTERED_IP ttl 255

iptunnel add ipip1 mode ipip local 185.172.66.69 remote 91.121.255.214 ttl 255
ip addr add 192.168.168.2/30 dev ipip1
ip link set ipip1 up

互ping内网地址测试连通性。

设置源路由表
需要源路由条目以确保通过IPIP隧道传入的数据从IPIP隧道发回。

echo '100 BUYVM'>> /etc/iproute2/rt_tables 
ip rule add from 192.168.168.0/30 table BUYVM 
ip route add default via 192.168.168.1 table BUYVM

高防鸡:

iptables -t nat -A POSTROUTING -s 192.168.168.0/30 -j SNAT  -  to-source YOUR_FILTERED_IP

iptables -t nat -A POSTROUTING -s 192.168.168.0/30 -j SNAT  -  to-source 91.121.255.214

测试出站连接:

curl http://myip.ipip.net --interface 192.168.168.2
wget http://myip.ipip.net --bind-address = 192.168.168.2 -q -O  - 

在IPIP隧道上转发端口
为方便起见,可以将所有端口从过滤后的IP转发到后端服务器。也可以自行更改为仅转发某些端口。

高防鸡:

#iptables -t nat -A PREROUTING -d YOUR_FILTERED_IP -j DNAT --to-destination 192.168.168.2 
iptables -t nat -A PREROUTING -d 91.121.255.214 -j DNAT --to-destination 192.168.168.2 
iptables -A FORWARD -d 192.168.168.2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Last modification:December 5th, 2018 at 10:14 am
If you think my article is useful to you, please feel free to appreciate

2 comments

  1. xiaoz

    用隧道的方式会不会效率太低了?

    1. 李子
      @xiaoz

      还好吧

Leave a Comment Cancel reply