sudo apt update && sudo apt install iptables ipset netfilter-persistent ipset-persistent nftables git -y && git clone https://github.com/yuk1c/antiddos && cd antiddos && sudo bash antiddos-yuki && cd ..
apt update && apt install iptables ipset netfilter-persistent ipset-persistent nftables git -y && git clone https://github.com/yuk1c/antiddos && cd antiddos && bash antiddos-yuki && cd ..
- Bash
- Ubuntu 20.04+ / [BETA] Debian 11+
- TCP SYN Flood
- TCP Out-Of-State Flood
- TCP SYN-ACK Flood/TCP Reflection
- Spoofed attacks
- UDP Flood
- ICMP Flood & PoD
- GREIP, ESP, AH, IGMP Floods
- Many sophisticated TCP attacks
- HANDSHAKE & Slowloris attacks
- Amplification DDoS
- Null Payload Flood
- Potential IPv6 simple attacks
- BitTorrent Amplification blocking
- SIP Scanning blocking
- SSLv2/SSLv3 HTTPS blocking
- HTTP Trace method blocking
- FTP SITE EXEC blocking
- SQLi Blocking
- Advanced Spoofing blocking
- DNS/NTP Filtering
- IP Option Filter
- HTTP Filter
- SSH Filter/Whitelist
- OpenVPN Filter/Whitelist
- IPtables proxying
- SYN/ACK Challenge
- Zero TTL Blocking
- SourcePort 1 or 0 Blocking
- STUN Blocking
cd ~/antiddos && git pull && sudo bash antiddos-yuki && cd
sudo iptables-nft -P INPUT ACCEPT && sudo nft flush ruleset && sudo ipset destroy blacklist
After this, restore the original sysctl.conf from a backup, and save changes: sudo netfilter-persistent save
sudo netfilter-persistent save
sudo iptables-nft -I INPUT -p [tcp/udp] -m multiport --dports [port,port...] (max – 15 ports) -j ACCEPT
Example: sudo iptables-nft -I INPUT -p tcp -m multiport --dports 1194 -j ACCEPT (will allow tcp to 1194).
❃ Issue/Question | ❃ Fix/Answer |
---|---|
Slow UDP Network Speed | Increase UDP Limit |
Why script doesn't help me? | You have a slow server, or you're just under a Volumetric DDoS attack. You might try lower limits and optional rules (advanced ruleset). |
I allowed the needed port, but the service on it doesn't work. | Your service probably works on UDP. Try allowing port on UDP. |
Can I view the stats of the rules? | Yes, you can. Use the following command: sudo nft list ruleset. |
Does this script work with complicated routing? | Nah, it's not (by default). But to fix it, set rp_filter to 2. (sysctl tweaks) |
How can I start the script with automatic ruleset saving? | Use --autosave argument. |
VPN Doesn't work... | Try to determine needed protocols and allow them in the script with -A or with -I If you want just apply the iptables command. Do not forget to save the changes! |
How to tune the script? | Check the config.sh, it contains some variables, if you have good knowledge, you can tune the config for your needs to mitigate attacks a bit better. |
I have other problems, what to do? | Open an issue or contact me via Telegram (@yuk1meow). |
Network doesn't work after I applied the script, what to do? | After applying the script, if your network stops working, try restarting your server. Avoid using the script on the same host again, as the root cause of the issue is unknown and may persist. |