I've got a possible dns flood attack solution for trixie debian 12 and iptables that I pieced together from a couple of sources.

A GIANT caveat here... I am far from an expert with iptables! YOUR MILEAGE MAY VARY!!! Back up your current iptables rule set before you start!!!! Before I started I already had xtables-addons-common installed to be able to use tarpit. They both use dkms to build these modules. It takes a while for the kernel to rebuild & remembering back to the 90's if the kernel fails to rebuild, your system is dead!! Since beginning the new millennium things seem to go a lot smoother, but messing with the kernel can still be dangerous.

YOU HAVE BEEN WARNED!

https://daenney.github.io/2017/01/07/geoip-filtering-iptables/

I got the bash script to allow geoip to work with iptables. The script had some different locations for two files, but using locate I found them, modified the script and it worked like a champ. The commented lines near the bottom contain the original file locations, with my altered locations below.

#!/bin/bash

## /etc/cron.weekly/geoip ##

set -euo pipefail

set +e

if

! dpkg -l xtables-addons-common >/dev/null ; then

apt install xtables-addons-common

fi

if

! dpkg -l libtext-csv-xs-perl >/dev/null ; then

apt install libtext-csv-xs-perl

fi

set -e

if

[ ! -d /usr/share/xt_geoip ]; then

mkdir /usr/share/xt_geoip

fi

geotmpdir=$(mktemp -d)

csv_files="${geotmpdir}/GeoIPCountryWhois.csv ${geotmpdir}/GeoIPv6.csv"

OLDPWD="${PWD}"

cd "${geotmpdir}"

### /usr/lib/xtables-addons/xt_geoip_dl ## for trixie on next line

/usr/libexec/xtables-addons/xt_geoip_dl

###/usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip ${csv_files} ## for trixie on next line

/usr/libexec/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip ${csv_files}

cd "${OLDPWD}"rm -r "${geotmpdir}"

exit 0

Then I added the rules that I found at:

https://www.reddit.com/r/debian/comments/1brua2c/dns_flood_attack/

about halfway down the page:

# tcp

-A INPUT -p tcp -m tcp --dport 53 -s 192.168.0.0/24 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -m hashlimit --hashlimit-above 6/second --hashlimit-burst 8 --hashlimit-mode srcip --hashlimit-srcmask 12 --hashlimit-htable-expire 120000 --hashlimit-name dnstcplimit -j DROP

-A INPUT -p tcp -m tcp --dport 53 -m geoip --src-cc US,CA -m limit --limit 128/second -j ACCEPT

-A INPUT -p tcp -m tcp --dport 53 -m limit --limit 16/second -j ACCEPT

# udp

-A INPUT -p udp -m udp --dport 53 -s 192.168.0.0/24 -j ACCEPT

-A INPUT -m state --state NEW -m udp -p udp --dport 53 -m hashlimit --hashlimit-above 24/second --hashlimit-burst 32 --hashlimit-mode srcip --hashlimit-srcmask 12 --hashlimit-htable-expire 120000 --hashlimit-name dnsudplimit -j DROP

-A INPUT -p udp -m udp --dport 53 -m geoip --src-cc US,CA -m limit --limit 512/second -j ACCEPT

-A INPUT -p udp -m udp --dport 53 -m limit --limit 64/second -j ACCEPT

iptables no longer complained about geoip and the portion added to my iptables -L command looks like this:

ACCEPT tcp  --  192.168.2.0/24       anywhere             tcp dpt:domain

DROP        tcp  --  anywhere             anywhere             state NEW tcp dpt:domain limit: above 6/sec burst 8 mode srcip htable-expire 120000 srcmask 12

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain -m geoip --source-country US,CA  limit: avg 128/sec burst 5

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain limit: avg 16/sec burst 5

ACCEPT     udp  --  192.168.2.0/24       anywhere             udp dpt:domain

DROP        udp  --  anywhere             anywhere             state NEW udp dpt:domain limit: above 24/sec burst 32 mode srcip htable-expire 120000 srcmask 12

ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain -m geoip --source-country US,CA  limit: avg 526/sec burst 5

ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain limit: avg 64/sec burst 5