<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font size="-1"><font face="Verdana">on centos5 and centos6<br>
<br>
modifying this line:<br>
</font></font>iptables -A QUERY-CHECK -m hashlimit
--hashlimit-mode srcip --hashlimit-name getstatus --hashlimit-above
2/second -j QUERY-BLOCK<br>
<font size="-1"><font face="Verdana"><br>
in this way (two different lines):<br>
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip
--hashlimit-name getstatus --hashlimit 2/s -j RETURN<br>
iptables -A QUERY-CHECK -j QUERY-BLOCK<br>
<br>
should mimic the same behaviour<br>
</font></font><br>
Il 22/02/2012 18:43, Geoff Goas ha scritto:
<blockquote
cite="mid:CAB8_CqK=EzEP5wTJ-=PmF20XEeF-rf6Ga04yNqT4WphOTm0NPg@mail.gmail.com"
type="cite">Hi,<br>
<br>
On CentOS 5.5, <i style="font-family:courier new,monospace">--hashlimit-above</i>
is not a valid option for the "hashlimit" match. Which version of
iptables introduces this, and how can I mimic that same ruleset
with the options available to me in version 1.3.5 of iptables?<br>
<br>
Thanks,<br>
<br>
<div class="gmail_quote">On Fri, Jan 20, 2012 at 7:51 PM, John <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:lists.cod@nuclearfallout.net">lists.cod@nuclearfallout.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="im"> On 1/20/2012 3:27 PM, Marco Padovan wrote:
</div>
<blockquote type="cite"><font size="-1"><font face="Verdana">
<div class="im">I was referring to dynamic filtering
using -m recent<br>
<br>
</div>
[not] to manually adding IPs O.o</font></font></blockquote>
<br>
Marco's right about this. The most effective way to prevent
effects from these attacks on Linux is to use a combination
of the "string", "hashlimit", and "recent" modules. Done
right, the solution is mostly automatic, so you shouldn't
need to manually add IPs.<br>
<br>
These commands, for instance, would block external IPs that
send queries at a rate of 2/second or higher:<br>
<br>
# add a host to the banlist and then drop the packet.<br>
iptables -N QUERY-BLOCK<br>
iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts
-j DROP<br>
<br>
# is this a query packet? if so, block commonly attacked
ports outright, <br>
# then see if it's a known attacking IP, then see if it is
sending at a high<br>
# rate and should be added to the list of known attacking
IPs.<br>
iptables -N QUERY-CHECK<br>
iptables -A QUERY-CHECK -p udp -m string ! --string
"getstatus" --algo bm --from 32 --to 41 -j RETURN<br>
iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP<br>
# is it already blocked? continue blocking it and update the
counter so it<br>
# gets blocked for at least another 30 seconds.<br>
iptables -A QUERY-CHECK -m recent --update --name
blocked-hosts --seconds 30 --hitcount 1 -j DROP<br>
# check to see if it exceeds our rate threshold,<br>
# and add it to the list if it does.<br>
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip
--hashlimit-name getstatus --hashlimit-above 2/second -j
QUERY-BLOCK<br>
<br>
# look at all the packets going to q3/cod*/et/etc servers<br>
iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK<br>
<br>
The "recent" module makes it possible to block up to 100 IPs
at once with this method (any attackers beyond this would
only be rate-limited). That number can be raised when the
module is loaded, but I haven't seen 100 attacks happening
at once yet (typically it's maybe 5-20 at once). You can see
blocked hosts later by looking at
/proc/net/xt_recent/blocked-hosts.<br>
<br>
(If you don't have "recent", you could get away without it
-- just be aware that some of the packets will get through,
increasing load on the game server. Without "hashlimit",
you'd still see an advantage from the port checks, but you'd
need to manually block IPs that are being hit on other
ports. Without "string", you'd similarly be down to just
port checks, and need to take out the other rules.)<span
class="HOEnZb"><font color="#888888"><br>
<br>
-John<br>
</font></span></div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true" href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<i><b><font size="1"><span style="font-family:tahoma,sans-serif">Geoff
Goas</span><br style="font-family:tahoma,sans-serif">
<span style="font-family:tahoma,sans-serif">Systems Engineer</span></font></b></i><br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</body>
</html>