# These commands, for instance, would block external IPs that send queries <br># at a rate of 2/second or higher:<br># add a host to the banlist and then drop the packet.<br>/sbin/iptables -N QUERY-BLOCK<br>/sbin/iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP<br>
# is this a query packet? if so, block commonly attacked ports outright,<br># then see if it's a known attacking IP, then see if it is sending at a high<br># rate and should be added to the list of known attacking IPs.<br>
/sbin/iptables -N QUERY-CHECK<br>/sbin/iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus" --algo bm --from 32 --to 41 -j RETURN<br>/sbin/iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP<br>/sbin/iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP<br>
/sbin/iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP<br>/sbin/iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP<br>/sbin/iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP<br>/sbin/iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP<br>
# is it already blocked? continue blocking it and update the counter so it<br># gets blocked for at least another 30 seconds.<br>/sbin/iptables -A QUERY-CHECK -m recent --update --name blocked-hosts --seconds 30 --hitcount 1 -j DROP<br>
# check to see if it exceeds our rate threshold,<br># and add it to the list if it does.<br># /sbin/iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip --hashlimit-name getstatus --hashlimit-above 2/second -j QUERY-BLOCK<br>
# CentOS 5 or CentOS 6 compatible<br>/sbin/iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip --hashlimit-name getstatus --hashlimit 2/s -j RETURN<br>/sbin/iptables -A QUERY-CHECK -j QUERY-BLOCK<br># look at all the packets going to q3/cod*/et/etc servers <br>
# /sbin/iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK<br><div>/sbin/iptables -A INPUT -p udp --dport 27000:30000 -j QUERY-CHECK<br></div><div><br></div><div> ./spamblock.bsh<br>iptables: Chain already exists.<br>
iptables: Chain already exists.<br></div><div><br></div><div>iptables -L -n<br>Chain INPUT (policy ACCEPT)<br>target prot opt source destination<br>QUERY-CHECK udp -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpts:27000:30000<br>
<br>Chain FORWARD (policy ACCEPT)<br>target prot opt source destination<br><br>Chain OUTPUT (policy ACCEPT)<br>target prot opt source destination<br><br>Chain QUERY-BLOCK (1 references)<br>
target prot opt source destination<br>DROP all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> recent: SET name: blocked-hosts side: source<br>
<br>Chain QUERY-CHECK (1 references)<br>target prot opt source destination<br>RETURN udp -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> STRING match !"getstatus" ALGO name bm FROM 32 TO 41<br>
DROP udp -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp spts:0:1025<br>DROP udp -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp spt:3074<br>
DROP udp -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp spt:7777<br>DROP udp -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp spts:27015:27100<br>
DROP udp -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp spt:25200<br>DROP udp -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp spt:25565<br>
DROP all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> recent: UPDATE seconds: 30 hit_count: 1 name: blocked-hosts side: source<br>RETURN all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> limit: up to 2/sec burst 5 mode srcip<br>
QUERY-BLOCK all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br></div><div><br></div><div>Should I be concerned with " iptables: Chain already exists."? </div>
<br><br><div class="gmail_quote">On Thu, Feb 23, 2012 at 9:44 AM, Marco Padovan <span dir="ltr"><<a href="mailto:evcz@evcz.tk">evcz@evcz.tk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<font size="-1"><font face="Verdana">sure, do it :)</font></font><br>
<br>
Il 23/02/2012 15:44, escapedturkey ha scritto:
<div><div class="h5"><blockquote type="cite">
<div>I support most Q3 engine games. Some go beyond the range
specified in the original post.<br>
</div>
<div><br>
</div>
<div>Can I change:</div>
<div><br>
</div>
<div>iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK<br>
</div>
<div><br>
</div>
<div>To:</div>
<div><br>
</div>
<div>iptables -A INPUT -p udp --dport 27000:30000 -j QUERY-CHECK<br>
</div>
<div><br>
</div>
<div>Or will that cause problems? </div>
<div><br>
</div>
<div>Ex: JK2 =28070 JA = 29070 </div>
<br>
<div class="gmail_quote">On Thu, Feb 23, 2012 at 9:30 AM, Marco
Padovan <span dir="ltr"><<a href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <font size="-1"><font face="Verdana">Let us know if that works ;)</font></font><br>
<br>
Il 23/02/2012 15:20, escapedturkey ha scritto:
<div>
<div>
<blockquote type="cite">Thank you. Much appreciated. =)<br>
<br>
<div class="gmail_quote">On Thu, Feb 23, 2012 at 7:33
AM, Marco Padovan <span dir="ltr"><<a href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <font size="-1"><font face="Verdana">Ehm,<br>
nope :D<br>
<br>
You need all the lines John posted:<br>
<br>
</font></font><a href="http://icculus.org/pipermail/cod/2012-January/015861.html" target="_blank">http://icculus.org/pipermail/cod/2012-January/015861.html</a><br>
<br>
To make it works in centos5 / 6 change into that
ruleset:
<div><br>
iptables -A QUERY-CHECK -m hashlimit
--hashlimit-mode srcip --hashlimit-name
getstatus --hashlimit-above 2/second -j
QUERY-BLOCK<br>
<font size="-1"><font face="Verdana"><br>
in this way (two different lines):<br>
iptables -A QUERY-CHECK -m hashlimit
--hashlimit-mode srcip --hashlimit-name
getstatus --hashlimit 2/s -j RETURN<br>
iptables -A QUERY-CHECK -j QUERY-BLOCK<br>
</font></font><br>
</div>
<font size="-1"><font face="Verdana">all the
other rules should be kept as they are :)<br>
</font></font><br>
Il 23/02/2012 13:10, escapedturkey ha scritto:
<div>
<div>
<blockquote type="cite">
<div>Thank you. I missed those lines.<br>
</div>
<div><br>
</div>
<div>Here is what I have so far:</div>
<div><br>
</div>
<div>/sbin/iptables -N QUERY-BLOCK<br>
/sbin/iptables -A QUERY-BLOCK -m recent
--set --name blocked-hosts -j DROP<br>
/sbin/iptables -A QUERY-CHECK -m
hashlimit --hashlimit-mode srcip
--hashlimit-name getstatus --hashlimit
2/s -j RETURN<br>
/sbin/iptables -A QUERY-CHECK -j
QUERY-BLOCK</div>
<div><br>
</div>
<div>Is this correct? </div>
<div><br>
</div>
<div>Thank you again. =)</div>
<br>
<div class="gmail_quote">On Thu, Feb 23,
2012 at 5:32 AM, Marco Padovan <span dir="ltr"><<a href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<font size="-1"><font face="Verdana">did
you issued all the other
commands?<br>
<br>
like:<br>
<br>
</font></font>
<div>iptables -N QUERY-BLOCK<br>
iptables -A QUERY-BLOCK -m recent
--set --name blocked-hosts -j DROP<br>
<br>
</div>
?<br>
<br>
Il 23/02/2012 03:54, escapedturkey
ha scritto:
<div>
<div>
<blockquote type="cite">
<div>iptables v1.4.7: Couldn't
load target
`QUERY-BLOCK':/lib64/xtables/libipt_QUERY-BLOCK.so:
cannot open shared object
file: No such file or
directory<br>
</div>
<div><br>
</div>
<div>Any ideas?</div>
<br>
<br>
<div class="gmail_quote"> On
Wed, Feb 22, 2012 at 4:51
PM, Marco Padovan <span dir="ltr"><<a href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <font size="-1"><font face="Verdana">on
centos5 and centos6<br>
<br>
modifying this line:<br>
</font></font>
<div>iptables -A
QUERY-CHECK -m
hashlimit
--hashlimit-mode srcip
--hashlimit-name
getstatus
--hashlimit-above
2/second -j
QUERY-BLOCK<br>
</div>
<font size="-1"><font face="Verdana"><br>
in this way (two
different lines):<br>
iptables -A
QUERY-CHECK -m
hashlimit
--hashlimit-mode
srcip
--hashlimit-name
getstatus
--hashlimit 2/s -j
RETURN<br>
iptables -A
QUERY-CHECK -j
QUERY-BLOCK<br>
<br>
should mimic the
same behaviour<br>
</font></font><br>
Il 22/02/2012 18:43,
Geoff Goas ha scritto:
<div>
<div>
<blockquote type="cite">Hi,<br>
<br>
On CentOS 5.5, <i style="font-family:courier new,monospace">--hashlimit-above</i>
is not a valid
option for the
"hashlimit" match.
Which version of
iptables
introduces this,
and how can I
mimic that same
ruleset with the
options available
to me in version
1.3.5 of iptables?<br>
<br>
Thanks,<br>
<br>
<div class="gmail_quote">On
Fri, Jan 20,
2012 at 7:51 PM,
John <span dir="ltr"><<a href="mailto:lists.cod@nuclearfallout.net" target="_blank">lists.cod@nuclearfallout.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> On
1/20/2012 3:27
PM, Marco
Padovan wrote:
</div>
<blockquote type="cite"><font size="-1"><font face="Verdana">
<div>I was
referring to
dynamic
filtering
using -m
recent<br>
<br>
</div>
[not] to
manually
adding IPs O.o</font></font></blockquote>
<br>
Marco's right
about this.
The most
effective way
to prevent
effects from
these attacks
on Linux is to
use a
combination of
the "string",
"hashlimit",
and "recent"
modules. Done
right, the
solution is
mostly
automatic, so
you shouldn't
need to
manually add
IPs.<br>
<br>
These
commands, for
instance,
would block
external IPs
that send
queries at a
rate of
2/second or
higher:<br>
<br>
# add a host
to the banlist
and then drop
the packet.<br>
iptables -N
QUERY-BLOCK<br>
iptables -A
QUERY-BLOCK -m
recent --set
--name
blocked-hosts
-j DROP<br>
<br>
# is this a
query packet?
if so, block
commonly
attacked ports
outright, <br>
# then see if
it's a known
attacking IP,
then see if it
is sending at
a high<br>
# rate and
should be
added to the
list of known
attacking IPs.<br>
iptables -N
QUERY-CHECK<br>
iptables -A
QUERY-CHECK -p
udp -m string
! --string
"getstatus"
--algo bm
--from 32 --to
41 -j RETURN<br>
iptables -A
QUERY-CHECK -p
udp --sport
0:1025 -j DROP<br>
iptables -A
QUERY-CHECK -p
udp --sport
3074 -j DROP<br>
iptables -A
QUERY-CHECK -p
udp --sport
7777 -j DROP<br>
iptables -A
QUERY-CHECK -p
udp --sport
27015:27100 -j
DROP<br>
iptables -A
QUERY-CHECK -p
udp --sport
25200 -j DROP<br>
iptables -A
QUERY-CHECK -p
udp --sport
25565 -j DROP<br>
# is it
already
blocked?
continue
blocking it
and update the
counter so it<br>
# gets blocked
for at least
another 30
seconds.<br>
iptables -A
QUERY-CHECK -m
recent
--update
--name
blocked-hosts
--seconds 30
--hitcount 1
-j DROP<br>
# check to see
if it exceeds
our rate
threshold,<br>
# and add it
to the list if
it does.<br>
iptables -A
QUERY-CHECK -m
hashlimit
--hashlimit-mode
srcip
--hashlimit-name
getstatus
--hashlimit-above
2/second -j
QUERY-BLOCK<br>
<br>
# look at all
the packets
going to
q3/cod*/et/etc
servers<br>
iptables -A
INPUT -p udp
--dport
27960:29000 -j
QUERY-CHECK<br>
<br>
The "recent"
module makes
it possible to
block up to
100 IPs at
once with this
method (any
attackers
beyond this
would only be
rate-limited).
That number
can be raised
when the
module is
loaded, but I
haven't seen
100 attacks
happening at
once yet
(typically
it's maybe
5-20 at once).
You can see
blocked hosts
later by
looking at
/proc/net/xt_recent/blocked-hosts.<br>
<br>
(If you don't
have "recent",
you could get
away without
it -- just be
aware that
some of the
packets will
get through,
increasing
load on the
game server.
Without
"hashlimit",
you'd still
see an
advantage from
the port
checks, but
you'd need to
manually block
IPs that are
being hit on
other ports.
Without
"string",
you'd
similarly be
down to just
port checks,
and need to
take out the
other rules.)<span><font color="#888888"><br>
<br>
-John<br>
</font></span></div>
<br>
_______________________________________________<br>
cod mailing
list<br>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<i><b><font size="1"><span style="font-family:tahoma,sans-serif">Geoff Goas</span><br style="font-family:tahoma,sans-serif">
<span style="font-family:tahoma,sans-serif">Systems
Engineer</span></font></b></i><br>
<br>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>EscapedTurkey.com Billing
and Support<br>
</div>
<div><a href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>EscapedTurkey.com Billing and Support<br>
</div>
<div><a href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>EscapedTurkey.com Billing and Support<br>
</div>
<div><a href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>EscapedTurkey.com Billing and Support<br>
</div>
<div><a href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div></div></div>
<br>_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div>EscapedTurkey.com Billing and Support<br></div><div><a href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>