We are using nginx as a public web server and need to do good common
sense things to try and limit or prevent syn floods and related types of
I’ve researched iptables extensively and have found a lot of info on how
to use it to limit syn floods and so forth.
However these articles do not explain how to apply these iptable
restrictions to public web servers that get very large amounts of
traffic. So I am hoping others here can share how they are using
iptables, because I am concerned that I will inadvertently block good
For instance, consider a case whereby a huge company with thousands of
employees that all share one public IP when accessing the internet.
Further, consider that everyone in the company gets an email that says
to go to our site and review some web pages.
In this scenario it is possible we could have a few thousand requests
coming in all at the same time from the same IP, but be legitimate
requests. So I have to be very careful with the rules that can try (if
possible?) to tell the difference between heavy traffic from the same IP
(as in this scenario) vs. some bot hammering on the server.
As another example, from the syn flood iptable rules I’ve seen I can’t
tell whether it is possible to detect the difference between syn packets
that are purposeful vs a large number of syn packets for new connections
that are rushing in but legitimate.
Also as a side question - if a request comes in to nginx and nginx then
uses proxy_pass to talk to an external server that handles the request,
am I right to assume that as far as iptables is concerned this is an
INPUT and not a FORWARD? In the case where we only want the public to
access the nginx server is there ever a case where we may legitimately
want to take FORWARD requests or should these all be blocked?
I would GREATLY appreciate you sharing your thoughts on how to address
this and approaches you have taken that may apply in this case too.
For reference I am using the latest nginx 6 on Fedora 8 core.