It makes no sense at all to add these permanently to your firewall, since an attack usually only lasts a couple of hours/days. After the attack subsides, remove the rules by
iptables -D INPUT -s IP#1 -j DROP iptables -D INPUT -s IP#2 -j DROP iptables -D INPUT -s IP#3 -j DROP
If you need logging, you may want to insert additional rules to log the dropped packets. Note that a firewall will not help in defending a 'real' DDoS attack, this must be stopped at your uplink.
I got the following from the Packet Filtering HOWTO, by Rusty Russell. You may need to filter the INPUT chain as well, to protect your own machine(s). USE AT YOUR OWN RISK!!! #------------------------------------------------------# # LOG Syn-flood Denial of Service attempts - 10 per hour iptables -A FORWARD -p tcp --syn -m limit --limit 10/h \ -j LOG --log-prefix 'Syn-flood attack??? ' # Syn-flood protection iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT #------------------------------------------------------# # LOG Furtive Port Scanner attempts - 10 per hour iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \ -m limit --limit 10/h -j LOG --log-prefix 'Port Scanner attack??? ' # Port Scanner protection iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \ -m limit --limit 1/s -j ACCEPT #------------------------------------------------------# # LOG Ping of Death Denial of Service attempts - 10 per hour iptables -A FORWARD -p icmp --icmp-type echo-request \ -m limit --limit 10/h -j LOG --log-prefix 'Ping of Death attack??? ' # Ping of Death protection iptables -A FORWARD -p icmp --icmp-type echo-request \ -m limit --limit 1/s -j ACCEPT #------------------------------------------------------# Regards - Keith Roberts