Continuing the discussion from SYNPROXY connections fail on IPFire:
Hi Michael,
In my (ongoing) SYN Flood attack my server is being sent SYN packets with a spoofed source address which obviously don’t get the SYN-ACK reply because they are being sent from a foreign address. I have been getting up to 70,000 of these per day and have managed to block them with iptables so far but now the spoofed address are from /17 net blocks and the block list has become unmanageable.
I have enabled SYNPROXY on my debian server which is blocking the unreplied connection attempts at the server but since I am port forwarding from my firewall the connections are still being made to IPFire first. If I can enable synproxy in IPFire the bogus connections should be rejected at the firewall.
The details for enabling synproxy on debian are here:
https://www.dbsysnet.com/2019/02/homemade-ddos-protection-using-iptables-synproxy
but this failed to forward any genuine smtp packets through the firewall when I applied the above commands to IPFire although I did confirm that synproxy was enabled OK.
I am pretty sure that the problem is caused by a conntrack / nat conflict as advised here:
but I am not sure how the rules in this article should be applied to IPFire.
I am fairly confident that if suitable INPUT/PREROUTING can be applied it should work OK.
If you have any ideas, I would be more than happy to test them here.
Thank you
Rob