#!/bin/bash

# anti_ddos $PORT $RATE $BURST [$TTL $CONN_MAX]
#
# @param $1: PORT	TCP port ; e.g.: 80.
# @param $2: RATE	Number of connections (/sec, /min, /day)
#			allowed for a single IP source.
# @param $3: BURST	Maximum of TCP connections for a single source IP.
# @param $4: TTL	Optional. Hashtable Timeout (default: 30000 ms).
# @param $5: CONN_MAX	Optional. Max active connections (default: 65000).
anti_ddos () {
	local PORT=$1
	local RATE=$2
	local BURST=$3
	local TTL
	local CONN_MAX
	local DDOS_CHECK
	local RET=0

	if [ -n "$1" ] && [ -n "$2" ] && [ -n "$3" ]; then
		[ -n "$4" ] && TTL=$4 || TTL=30000
		[ -n "$5" ] && CONN_MAX=$5 || CONN_MAX=65000
		DDOS_CHECK="DDOS_CHECK_$1"

		iptables -N $DDOS_CHECK
		RET=$?
		iptables -A INPUT -p tcp --syn --dport $PORT -j $DDOS_CHECK
		[ $RET -eq 0 ] && RET=$?
		iptables -A $DDOS_CHECK \
			-m hashlimit --hashlimit $RATE \
			--hashlimit-burst $BURST --hashlimit-mode srcip \
			--hashlimit-name DDOSport${PORT} \
			--hashlimit-htable-expire $TTL \
			--hashlimit-htable-max $CONN_MAX \
			-j ACCEPT
		[ $RET -eq 0 ] && RET=$?
		iptables -A $DDOS_CHECK -j DROP
		[ $RET -eq 0 ] && RET=$?
	fi

	return $RET
}