syn ddos defence

2026-06-10 20:20:41 +03:00 · 2026-04-13 10:26:43 +03:00
parent 7f1f714e8c
commit 94b7d30c02
2 changed files with 30 additions and 1 deletions
@@ -37,6 +37,12 @@ let
          };
          systemd-boot.enable = lib.mkDefault false;
        };
+        kernel.sysctl = {
+          "net.ipv4.tcp_syncookies" = 1;
+          "net.ipv4.tcp_max_syn_backlog" = 4096;
+          "net.ipv4.tcp_synack_retries" = 3;
+          "net.ipv4.tcp_syn_retries" = 3;
+        };
      };

      services = {
@@ -67,7 +73,6 @@ let
          openFirewall = true;
        };
      };
-
      networking = {
        nameservers = [
          "1.1.1.1"
@@ -88,6 +93,28 @@ let
          enable = true;
          allowPing = true;
        };
+        nftables = {
+          enable = true;
+          ruleset = ''
+            table inet filter {
+              chain input {
+                type filter hook input priority 0;
+
+                # loopback
+                iif lo accept
+
+                # уже установленные
+                ct state established,related accept
+
+                # РЕЖЕМ SYN СРАЗУ
+                tcp flags syn tcp dport {80,443} limit rate 20/second burst 40 packets accept
+                tcp flags syn tcp dport {80,443} drop
+
+                # остальное по необходимости
+              }
+            }
+          '';
+        };
        enableIPv6 = true;
        interfaces.ens3 = {
          useDHCP = true;
@@ -98,6 +98,8 @@ in
      devenv

      # Test
+      rgx
+      net-tools
      # lazydocker
      # dtop
      # framework-tool-tui