linux command to prevent dos attack by using netstat and iptables

I want to DROP more than 200 requests per ip to prevent ddos attack. this is command that i used to detect requests count per ip :

netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort | uniq -c | sort -nr

now i want add all ip addresses that made more than 200 requests into IPtables to DROP input and out put.

Solution 1:

You can also use iptables to limit the rate of incoming connections. For example if you don't want more than 200 connections per minute from a source:

iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 200 -j DROP

Solution 2:

You can create an ipset. This way you can add as many IPs to the set as you need without modifying the iptables ruleset.

ipset -N myset iphash
ipset -A myset 1.1.1.1
ipset -A myset 2.2.2.2

Or, in your case, use the output of your script, and read it with something like:

while read a; do ipset -A myset "$a"; done < <(your script here)

And the reference it in your iptables rules:

iptables -A INPUT -m set --set myset src -j DROP

Read the manpage for more details and options.

There are also other ways to mitigate a DDOS attack using iptables directly. Read the iptables manpage section about the connlimit and recent modules.