<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font size="-1"><font face="Verdana">did you issued all the other
commands?<br>
<br>
like:<br>
<br>
</font></font>iptables -N QUERY-BLOCK<br>
iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP<br>
<br>
?<br>
<br>
Il 23/02/2012 03:54, escapedturkey ha scritto:
<blockquote
cite="mid:CALCvV0xcUSO4w4ecdnPqY_M0wDBr0LrpaJyUt0TRpqCt99jCQA@mail.gmail.com"
type="cite">
<div>iptables v1.4.7: Couldn't load target
`QUERY-BLOCK':/lib64/xtables/libipt_QUERY-BLOCK.so: cannot open
shared object file: No such file or directory<br>
</div>
<div><br>
</div>
<div>Any ideas?</div>
<br>
<br>
<div class="gmail_quote">
On Wed, Feb 22, 2012 at 4:51 PM, Marco Padovan <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:evcz@evcz.tk">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <font size="-1"><font
face="Verdana">on centos5 and centos6<br>
<br>
modifying this line:<br>
</font></font>
<div class="im">iptables -A QUERY-CHECK -m hashlimit
--hashlimit-mode srcip --hashlimit-name getstatus
--hashlimit-above 2/second -j QUERY-BLOCK<br>
</div>
<font size="-1"><font face="Verdana"><br>
in this way (two different lines):<br>
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode
srcip --hashlimit-name getstatus --hashlimit 2/s -j
RETURN<br>
iptables -A QUERY-CHECK -j QUERY-BLOCK<br>
<br>
should mimic the same behaviour<br>
</font></font><br>
Il 22/02/2012 18:43, Geoff Goas ha scritto:
<div>
<div class="h5">
<blockquote type="cite">Hi,<br>
<br>
On CentOS 5.5, <i style="font-family:courier
new,monospace">--hashlimit-above</i> is not a valid
option for the "hashlimit" match. Which version of
iptables introduces this, and how can I mimic that
same ruleset with the options available to me in
version 1.3.5 of iptables?<br>
<br>
Thanks,<br>
<br>
<div class="gmail_quote">On Fri, Jan 20, 2012 at 7:51
PM, John <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:lists.cod@nuclearfallout.net"
target="_blank">lists.cod@nuclearfallout.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> On 1/20/2012 3:27 PM, Marco Padovan wrote:
</div>
<blockquote type="cite"><font size="-1"><font
face="Verdana">
<div>I was referring to dynamic filtering
using -m recent<br>
<br>
</div>
[not] to manually adding IPs O.o</font></font></blockquote>
<br>
Marco's right about this. The most effective way
to prevent effects from these attacks on Linux
is to use a combination of the "string",
"hashlimit", and "recent" modules. Done right,
the solution is mostly automatic, so you
shouldn't need to manually add IPs.<br>
<br>
These commands, for instance, would block
external IPs that send queries at a rate of
2/second or higher:<br>
<br>
# add a host to the banlist and then drop the
packet.<br>
iptables -N QUERY-BLOCK<br>
iptables -A QUERY-BLOCK -m recent --set --name
blocked-hosts -j DROP<br>
<br>
# is this a query packet? if so, block commonly
attacked ports outright, <br>
# then see if it's a known attacking IP, then
see if it is sending at a high<br>
# rate and should be added to the list of known
attacking IPs.<br>
iptables -N QUERY-CHECK<br>
iptables -A QUERY-CHECK -p udp -m string !
--string "getstatus" --algo bm --from 32 --to 41
-j RETURN<br>
iptables -A QUERY-CHECK -p udp --sport 0:1025 -j
DROP<br>
iptables -A QUERY-CHECK -p udp --sport 3074 -j
DROP<br>
iptables -A QUERY-CHECK -p udp --sport 7777 -j
DROP<br>
iptables -A QUERY-CHECK -p udp --sport
27015:27100 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 25200 -j
DROP<br>
iptables -A QUERY-CHECK -p udp --sport 25565 -j
DROP<br>
# is it already blocked? continue blocking it
and update the counter so it<br>
# gets blocked for at least another 30 seconds.<br>
iptables -A QUERY-CHECK -m recent --update
--name blocked-hosts --seconds 30 --hitcount 1
-j DROP<br>
# check to see if it exceeds our rate threshold,<br>
# and add it to the list if it does.<br>
iptables -A QUERY-CHECK -m hashlimit
--hashlimit-mode srcip --hashlimit-name
getstatus --hashlimit-above 2/second -j
QUERY-BLOCK<br>
<br>
# look at all the packets going to
q3/cod*/et/etc servers<br>
iptables -A INPUT -p udp --dport 27960:29000 -j
QUERY-CHECK<br>
<br>
The "recent" module makes it possible to block
up to 100 IPs at once with this method (any
attackers beyond this would only be
rate-limited). That number can be raised when
the module is loaded, but I haven't seen 100
attacks happening at once yet (typically it's
maybe 5-20 at once). You can see blocked hosts
later by looking at
/proc/net/xt_recent/blocked-hosts.<br>
<br>
(If you don't have "recent", you could get away
without it -- just be aware that some of the
packets will get through, increasing load on the
game server. Without "hashlimit", you'd still
see an advantage from the port checks, but you'd
need to manually block IPs that are being hit on
other ports. Without "string", you'd similarly
be down to just port checks, and need to take
out the other rules.)<span><font color="#888888"><br>
<br>
-John<br>
</font></span></div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true"
href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<i><b><font size="1"><span
style="font-family:tahoma,sans-serif">Geoff
Goas</span><br
style="font-family:tahoma,sans-serif">
<span style="font-family:tahoma,sans-serif">Systems
Engineer</span></font></b></i><br>
<br>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true" href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>EscapedTurkey.com Billing and Support<br>
</div>
<div><a moz-do-not-send="true"
href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</body>
</html>