add script to enable/disable TCP SYN flood prevention on blockstack nodes

2026-04-29 04:05:24 +08:00 · 2016-11-23 13:07:43 -05:00
parent c301963d56
commit 3ea9a75765
1 changed files with 59 additions and 0 deletions
--- a/tools/linux_synflood.sh
+++ b/tools/linux_synflood.sh
@@ -0,0 +1,59 @@
+#!/bin/sh
+
+# This script adds iptables rules that
+# limit the number of connections to Blockstack
+
+if [ -z "$1" ]; then 
+   echo >&2 "Usage: $0 enable/disable"
+   exit 1
+fi
+
+RULE_NAME="BLOCKSTACK_SYNFLOOD"
+
+case "$1" in
+   "enable")
+
+        PRESENT="$(iptables -L -v | grep "$RULE_NAME")"
+        if [ -n "$PRESENT" ]; then 
+           echo >&2 "Blockstack SYN flood rules appear to be installed already..."
+           exit 0
+        fi
+
+        # add the rule for 5/second SYN requests and max burst of 10.  Drop after that
+        iptables -N "$RULE_NAME"
+        iptables -A "$RULE_NAME" -m limit --limit 5/second --limit-burst 10 -j ACCEPT
+        iptables -A "$RULE_NAME" -j DROP
+        iptables -A "$RULE_NAME" -p tcp --syn --dport 6264 -j "$RULE_NAME"
+
+        # verify that it was installed 
+        PRESENT="$(iptables -L -v | grep "$RULE_NAME")"
+        if [ -z "$PRESENT" ]; then 
+           echo >&2 "Failed to enable rule $RULE_NAME.  Check iptables."
+           exit 1
+        fi
+        ;;
+
+    "disable")
+        
+        PRESENT="$(iptables -L -v | grep "$RULE_NAME")"
+        if [ -z "$PRESENT" ]; then
+           echo >&2 "Blockstack SYN flood rules appear to be disabled already..."
+           exit 0
+        fi
+
+        # disable rules 
+        iptables -D "$RULE_NAME" 1
+        iptables -D "$RULE_NAME" 1
+        iptables -D "$RULE_NAME" 1
+        iptables -X "$RULE_NAME"
+        ;;
+
+    *)
+
+       echo >&2 "Usage: $0 enable/disable"
+       exit 1
+  
+esac
+
+exit 0
+