<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font size="-1"><font face="Verdana">Ehm,<br>
        nope :D<br>
        <br>
        You need all the lines John posted:<br>
        <br>
      </font></font><a
      href="http://icculus.org/pipermail/cod/2012-January/015861.html">http://icculus.org/pipermail/cod/2012-January/015861.html</a><br>
    <br>
    To make it works in centos5 / 6 change into that ruleset:<br>
    iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip
    --hashlimit-name getstatus --hashlimit-above 2/second -j QUERY-BLOCK<br>
    <font size="-1"><font face="Verdana"><br>
        in this way (two different lines):<br>
        iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip
        --hashlimit-name getstatus --hashlimit 2/s -j RETURN<br>
        iptables -A QUERY-CHECK -j QUERY-BLOCK<br>
      </font></font><br>
    <font size="-1"><font face="Verdana">all the other rules should be
        kept as they are :)<br>
      </font></font><br>
    Il 23/02/2012 13:10, escapedturkey ha scritto:
    <blockquote
cite="mid:CALCvV0w-6gL0FxbwCrioKxFB3FRfBMfu_k04=ksmOd9wzGi_8g@mail.gmail.com"
      type="cite">
      <div>Thank you. I missed those lines.<br>
      </div>
      <div><br>
      </div>
      <div>Here is what I have so far:</div>
      <div><br>
      </div>
      <div>/sbin/iptables -N QUERY-BLOCK<br>
        /sbin/iptables -A QUERY-BLOCK -m recent --set --name
        blocked-hosts -j DROP<br>
        /sbin/iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode
        srcip --hashlimit-name getstatus --hashlimit 2/s -j RETURN<br>
        /sbin/iptables -A QUERY-CHECK -j QUERY-BLOCK</div>
      <div><br>
      </div>
      <div>Is this correct?&nbsp;</div>
      <div><br>
      </div>
      <div>Thank you again. =)</div>
      <br>
      <div class="gmail_quote">On Thu, Feb 23, 2012 at 5:32 AM, Marco
        Padovan <span dir="ltr">&lt;<a moz-do-not-send="true"
            href="mailto:evcz@evcz.tk">evcz@evcz.tk</a>&gt;</span>
        wrote:<br>
        <blockquote class="gmail_quote" style="margin:0 0 0
          .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div bgcolor="#FFFFFF" text="#000000"> <font size="-1"><font
                face="Verdana">did you issued all the other commands?<br>
                <br>
                like:<br>
                <br>
              </font></font>
            <div class="im">iptables -N QUERY-BLOCK<br>
              iptables -A QUERY-BLOCK -m recent --set --name
              blocked-hosts -j DROP<br>
              <br>
            </div>
            ?<br>
            <br>
            Il 23/02/2012 03:54, escapedturkey ha scritto:
            <div>
              <div class="h5">
                <blockquote type="cite">
                  <div>iptables v1.4.7: Couldn't load target
                    `QUERY-BLOCK':/lib64/xtables/libipt_QUERY-BLOCK.so:
                    cannot open shared object file: No such file or
                    directory<br>
                  </div>
                  <div><br>
                  </div>
                  <div>Any ideas?</div>
                  <br>
                  <br>
                  <div class="gmail_quote"> On Wed, Feb 22, 2012 at 4:51
                    PM, Marco Padovan <span dir="ltr">&lt;<a
                        moz-do-not-send="true"
                        href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>&gt;</span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0
                      .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div bgcolor="#FFFFFF" text="#000000"> <font
                          size="-1"><font face="Verdana">on centos5 and
                            centos6<br>
                            <br>
                            modifying this line:<br>
                          </font></font>
                        <div>iptables -A QUERY-CHECK -m hashlimit
                          --hashlimit-mode srcip --hashlimit-name
                          getstatus --hashlimit-above 2/second -j
                          QUERY-BLOCK<br>
                        </div>
                        <font size="-1"><font face="Verdana"><br>
                            in this way (two different lines):<br>
                            iptables -A QUERY-CHECK -m hashlimit
                            --hashlimit-mode srcip --hashlimit-name
                            getstatus --hashlimit 2/s -j RETURN<br>
                            iptables -A QUERY-CHECK -j QUERY-BLOCK<br>
                            <br>
                            should mimic the same behaviour<br>
                          </font></font><br>
                        Il 22/02/2012 18:43, Geoff Goas ha scritto:
                        <div>
                          <div>
                            <blockquote type="cite">Hi,<br>
                              <br>
                              On CentOS 5.5, <i
                                style="font-family:courier
                                new,monospace">--hashlimit-above</i> is
                              not a valid option for the "hashlimit"
                              match. Which version of iptables
                              introduces this, and how can I mimic that
                              same ruleset with the options available to
                              me in version 1.3.5 of iptables?<br>
                              <br>
                              Thanks,<br>
                              <br>
                              <div class="gmail_quote">On Fri, Jan 20,
                                2012 at 7:51 PM, John <span dir="ltr">&lt;<a
                                    moz-do-not-send="true"
                                    href="mailto:lists.cod@nuclearfallout.net"
                                    target="_blank">lists.cod@nuclearfallout.net</a>&gt;</span>
                                wrote:<br>
                                <blockquote class="gmail_quote"
                                  style="margin:0 0 0
                                  .8ex;border-left:1px #ccc
                                  solid;padding-left:1ex">
                                  <div bgcolor="#FFFFFF" text="#000000">
                                    <div> On 1/20/2012 3:27 PM, Marco
                                      Padovan wrote: </div>
                                    <blockquote type="cite"><font
                                        size="-1"><font face="Verdana">
                                          <div>I was referring to
                                            dynamic filtering using -m
                                            recent<br>
                                            <br>
                                          </div>
                                          [not] to manually adding IPs
                                          O.o</font></font></blockquote>
                                    <br>
                                    Marco's right about this. The most
                                    effective way to prevent effects
                                    from these attacks on Linux is to
                                    use a combination of the "string",
                                    "hashlimit", and "recent" modules.
                                    Done right, the solution is mostly
                                    automatic, so you shouldn't need to
                                    manually add IPs.<br>
                                    <br>
                                    These commands, for instance, would
                                    block external IPs that send queries
                                    at a rate of 2/second or higher:<br>
                                    <br>
                                    # add a host to the banlist and then
                                    drop the packet.<br>
                                    iptables -N QUERY-BLOCK<br>
                                    iptables -A QUERY-BLOCK -m recent
                                    --set --name blocked-hosts -j DROP<br>
                                    <br>
                                    # is this a query packet? if so,
                                    block commonly attacked ports
                                    outright, <br>
                                    # then see if it's a known attacking
                                    IP, then see if it is sending at a
                                    high<br>
                                    # rate and should be added to the
                                    list of known attacking IPs.<br>
                                    iptables -N QUERY-CHECK<br>
                                    iptables -A QUERY-CHECK -p udp -m
                                    string ! --string "getstatus" --algo
                                    bm --from 32 --to 41 -j RETURN<br>
                                    iptables -A QUERY-CHECK -p udp
                                    --sport 0:1025 -j DROP<br>
                                    iptables -A QUERY-CHECK -p udp
                                    --sport 3074 -j DROP<br>
                                    iptables -A QUERY-CHECK -p udp
                                    --sport 7777 -j DROP<br>
                                    iptables -A QUERY-CHECK -p udp
                                    --sport 27015:27100 -j DROP<br>
                                    iptables -A QUERY-CHECK -p udp
                                    --sport 25200 -j DROP<br>
                                    iptables -A QUERY-CHECK -p udp
                                    --sport 25565 -j DROP<br>
                                    # is it already blocked? continue
                                    blocking it and update the counter
                                    so it<br>
                                    # gets blocked for at least another
                                    30 seconds.<br>
                                    iptables -A QUERY-CHECK -m recent
                                    --update --name blocked-hosts
                                    --seconds 30 --hitcount 1 -j DROP<br>
                                    # check to see if it exceeds our
                                    rate threshold,<br>
                                    # and add it to the list if it does.<br>
                                    iptables -A QUERY-CHECK -m hashlimit
                                    --hashlimit-mode srcip
                                    --hashlimit-name getstatus
                                    --hashlimit-above 2/second -j
                                    QUERY-BLOCK<br>
                                    <br>
                                    # look at all the packets going to
                                    q3/cod*/et/etc servers<br>
                                    iptables -A INPUT -p udp --dport
                                    27960:29000 -j QUERY-CHECK<br>
                                    <br>
                                    The "recent" module makes it
                                    possible to block up to 100 IPs at
                                    once with this method (any attackers
                                    beyond this would only be
                                    rate-limited). That number can be
                                    raised when the module is loaded,
                                    but I haven't seen 100 attacks
                                    happening at once yet (typically
                                    it's maybe 5-20 at once). You can
                                    see blocked hosts later by looking
                                    at
                                    /proc/net/xt_recent/blocked-hosts.<br>
                                    <br>
                                    (If you don't have "recent", you
                                    could get away without it -- just be
                                    aware that some of the packets will
                                    get through, increasing load on the
                                    game server. Without "hashlimit",
                                    you'd still see an advantage from
                                    the port checks, but you'd need to
                                    manually block IPs that are being
                                    hit on other ports. Without
                                    "string", you'd similarly be down to
                                    just port checks, and need to take
                                    out the other rules.)<span><font
                                        color="#888888"><br>
                                        <br>
                                        -John<br>
                                      </font></span></div>
                                  <br>
_______________________________________________<br>
                                  cod mailing list<br>
                                  <a moz-do-not-send="true"
                                    href="mailto:cod@icculus.org"
                                    target="_blank">cod@icculus.org</a><br>
                                  <a moz-do-not-send="true"
                                    href="http://icculus.org/mailman/listinfo/cod"
                                    target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
                                  <br>
                                </blockquote>
                              </div>
                              <br>
                              <br clear="all">
                              <br>
                              -- <br>
                              <i><b><font size="1"><span
                                      style="font-family:tahoma,sans-serif">Geoff

                                      Goas</span><br
                                      style="font-family:tahoma,sans-serif">
                                    <span
                                      style="font-family:tahoma,sans-serif">Systems

                                      Engineer</span></font></b></i><br>
                              <br>
                              <br>
                              <br>
                              <pre>_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
                            </blockquote>
                          </div>
                        </div>
                      </div>
                      <br>
                      _______________________________________________<br>
                      cod mailing list<br>
                      <a moz-do-not-send="true"
                        href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
                      <a moz-do-not-send="true"
                        href="http://icculus.org/mailman/listinfo/cod"
                        target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
                      <br>
                    </blockquote>
                  </div>
                  <br>
                  <br clear="all">
                  <br>
                  -- <br>
                  <div>EscapedTurkey.com Billing and Support<br>
                  </div>
                  <div><a moz-do-not-send="true"
                      href="https://www.escapedturkey.com/helpdesk"
                      target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
                  <br>
                  <br>
                  <br>
                  <pre>_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
                </blockquote>
              </div>
            </div>
          </div>
          <br>
          _______________________________________________<br>
          cod mailing list<br>
          <a moz-do-not-send="true" href="mailto:cod@icculus.org">cod@icculus.org</a><br>
          <a moz-do-not-send="true"
            href="http://icculus.org/mailman/listinfo/cod"
            target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
          <br>
        </blockquote>
      </div>
      <br>
      <br clear="all">
      <br>
      -- <br>
      <div>EscapedTurkey.com Billing and Support<br>
      </div>
      <div><a moz-do-not-send="true"
          href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
      <br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
    </blockquote>
  </body>
</html>