<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font size="-1"><font face="Verdana">Ehm,<br>
nope :D<br>
<br>
You need all the lines John posted:<br>
<br>
</font></font><a
href="http://icculus.org/pipermail/cod/2012-January/015861.html">http://icculus.org/pipermail/cod/2012-January/015861.html</a><br>
<br>
To make it works in centos5 / 6 change into that ruleset:<br>
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip
--hashlimit-name getstatus --hashlimit-above 2/second -j QUERY-BLOCK<br>
<font size="-1"><font face="Verdana"><br>
in this way (two different lines):<br>
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip
--hashlimit-name getstatus --hashlimit 2/s -j RETURN<br>
iptables -A QUERY-CHECK -j QUERY-BLOCK<br>
</font></font><br>
<font size="-1"><font face="Verdana">all the other rules should be
kept as they are :)<br>
</font></font><br>
Il 23/02/2012 13:10, escapedturkey ha scritto:
<blockquote
cite="mid:CALCvV0w-6gL0FxbwCrioKxFB3FRfBMfu_k04=ksmOd9wzGi_8g@mail.gmail.com"
type="cite">
<div>Thank you. I missed those lines.<br>
</div>
<div><br>
</div>
<div>Here is what I have so far:</div>
<div><br>
</div>
<div>/sbin/iptables -N QUERY-BLOCK<br>
/sbin/iptables -A QUERY-BLOCK -m recent --set --name
blocked-hosts -j DROP<br>
/sbin/iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode
srcip --hashlimit-name getstatus --hashlimit 2/s -j RETURN<br>
/sbin/iptables -A QUERY-CHECK -j QUERY-BLOCK</div>
<div><br>
</div>
<div>Is this correct? </div>
<div><br>
</div>
<div>Thank you again. =)</div>
<br>
<div class="gmail_quote">On Thu, Feb 23, 2012 at 5:32 AM, Marco
Padovan <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:evcz@evcz.tk">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <font size="-1"><font
face="Verdana">did you issued all the other commands?<br>
<br>
like:<br>
<br>
</font></font>
<div class="im">iptables -N QUERY-BLOCK<br>
iptables -A QUERY-BLOCK -m recent --set --name
blocked-hosts -j DROP<br>
<br>
</div>
?<br>
<br>
Il 23/02/2012 03:54, escapedturkey ha scritto:
<div>
<div class="h5">
<blockquote type="cite">
<div>iptables v1.4.7: Couldn't load target
`QUERY-BLOCK':/lib64/xtables/libipt_QUERY-BLOCK.so:
cannot open shared object file: No such file or
directory<br>
</div>
<div><br>
</div>
<div>Any ideas?</div>
<br>
<br>
<div class="gmail_quote"> On Wed, Feb 22, 2012 at 4:51
PM, Marco Padovan <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <font
size="-1"><font face="Verdana">on centos5 and
centos6<br>
<br>
modifying this line:<br>
</font></font>
<div>iptables -A QUERY-CHECK -m hashlimit
--hashlimit-mode srcip --hashlimit-name
getstatus --hashlimit-above 2/second -j
QUERY-BLOCK<br>
</div>
<font size="-1"><font face="Verdana"><br>
in this way (two different lines):<br>
iptables -A QUERY-CHECK -m hashlimit
--hashlimit-mode srcip --hashlimit-name
getstatus --hashlimit 2/s -j RETURN<br>
iptables -A QUERY-CHECK -j QUERY-BLOCK<br>
<br>
should mimic the same behaviour<br>
</font></font><br>
Il 22/02/2012 18:43, Geoff Goas ha scritto:
<div>
<div>
<blockquote type="cite">Hi,<br>
<br>
On CentOS 5.5, <i
style="font-family:courier
new,monospace">--hashlimit-above</i> is
not a valid option for the "hashlimit"
match. Which version of iptables
introduces this, and how can I mimic that
same ruleset with the options available to
me in version 1.3.5 of iptables?<br>
<br>
Thanks,<br>
<br>
<div class="gmail_quote">On Fri, Jan 20,
2012 at 7:51 PM, John <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:lists.cod@nuclearfallout.net"
target="_blank">lists.cod@nuclearfallout.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> On 1/20/2012 3:27 PM, Marco
Padovan wrote: </div>
<blockquote type="cite"><font
size="-1"><font face="Verdana">
<div>I was referring to
dynamic filtering using -m
recent<br>
<br>
</div>
[not] to manually adding IPs
O.o</font></font></blockquote>
<br>
Marco's right about this. The most
effective way to prevent effects
from these attacks on Linux is to
use a combination of the "string",
"hashlimit", and "recent" modules.
Done right, the solution is mostly
automatic, so you shouldn't need to
manually add IPs.<br>
<br>
These commands, for instance, would
block external IPs that send queries
at a rate of 2/second or higher:<br>
<br>
# add a host to the banlist and then
drop the packet.<br>
iptables -N QUERY-BLOCK<br>
iptables -A QUERY-BLOCK -m recent
--set --name blocked-hosts -j DROP<br>
<br>
# is this a query packet? if so,
block commonly attacked ports
outright, <br>
# then see if it's a known attacking
IP, then see if it is sending at a
high<br>
# rate and should be added to the
list of known attacking IPs.<br>
iptables -N QUERY-CHECK<br>
iptables -A QUERY-CHECK -p udp -m
string ! --string "getstatus" --algo
bm --from 32 --to 41 -j RETURN<br>
iptables -A QUERY-CHECK -p udp
--sport 0:1025 -j DROP<br>
iptables -A QUERY-CHECK -p udp
--sport 3074 -j DROP<br>
iptables -A QUERY-CHECK -p udp
--sport 7777 -j DROP<br>
iptables -A QUERY-CHECK -p udp
--sport 27015:27100 -j DROP<br>
iptables -A QUERY-CHECK -p udp
--sport 25200 -j DROP<br>
iptables -A QUERY-CHECK -p udp
--sport 25565 -j DROP<br>
# is it already blocked? continue
blocking it and update the counter
so it<br>
# gets blocked for at least another
30 seconds.<br>
iptables -A QUERY-CHECK -m recent
--update --name blocked-hosts
--seconds 30 --hitcount 1 -j DROP<br>
# check to see if it exceeds our
rate threshold,<br>
# and add it to the list if it does.<br>
iptables -A QUERY-CHECK -m hashlimit
--hashlimit-mode srcip
--hashlimit-name getstatus
--hashlimit-above 2/second -j
QUERY-BLOCK<br>
<br>
# look at all the packets going to
q3/cod*/et/etc servers<br>
iptables -A INPUT -p udp --dport
27960:29000 -j QUERY-CHECK<br>
<br>
The "recent" module makes it
possible to block up to 100 IPs at
once with this method (any attackers
beyond this would only be
rate-limited). That number can be
raised when the module is loaded,
but I haven't seen 100 attacks
happening at once yet (typically
it's maybe 5-20 at once). You can
see blocked hosts later by looking
at
/proc/net/xt_recent/blocked-hosts.<br>
<br>
(If you don't have "recent", you
could get away without it -- just be
aware that some of the packets will
get through, increasing load on the
game server. Without "hashlimit",
you'd still see an advantage from
the port checks, but you'd need to
manually block IPs that are being
hit on other ports. Without
"string", you'd similarly be down to
just port checks, and need to take
out the other rules.)<span><font
color="#888888"><br>
<br>
-John<br>
</font></span></div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true"
href="mailto:cod@icculus.org"
target="_blank">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<i><b><font size="1"><span
style="font-family:tahoma,sans-serif">Geoff
Goas</span><br
style="font-family:tahoma,sans-serif">
<span
style="font-family:tahoma,sans-serif">Systems
Engineer</span></font></b></i><br>
<br>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true"
href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>EscapedTurkey.com Billing and Support<br>
</div>
<div><a moz-do-not-send="true"
href="https://www.escapedturkey.com/helpdesk"
target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true" href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>EscapedTurkey.com Billing and Support<br>
</div>
<div><a moz-do-not-send="true"
href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</body>
</html>