<div>iptables --flush</div><div><br></div><div>/sbin/iptables -N QUERY-BLOCK<br></div><div>iptables: Chain already exists.<br></div><div><br></div><div>/sbin/iptables -N QUERY-CHECK<br>iptables: Chain already exists.<br></div>
<div><br></div><div>Any help? =)</div><br><br><div class="gmail_quote">On Thu, Feb 23, 2012 at 10:03 AM, Marco Padovan <span dir="ltr"><<a href="mailto:evcz@evcz.tk">evcz@evcz.tk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<font size="-1"><font face="Verdana">The <br>
<br>
</font></font>"Chain already exists." error should appear...<br>
<br>
iptables --flush<br>
<br>
then run the script...<br>
<br>
eventually run all the rules one by one and see which one is giving
you the error...<br>
<br>
you can monitor the number of blocked packets issuing:<br>
<br>
iptables -nvx -L QUERY-BLOCK<br>
<br>
and<br>
<br>
iptables -nvx -L QUERY-CHECK<br>
<br>
Il 23/02/2012 15:53, escapedturkey ha scritto:
<div><div class="h5"><blockquote type="cite"># These commands, for instance, would block external
IPs that send queries <br>
# at a rate of 2/second or higher:<br>
# add a host to the banlist and then drop the packet.<br>
/sbin/iptables -N QUERY-BLOCK<br>
/sbin/iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts
-j DROP<br>
# is this a query packet? if so, block commonly attacked ports
outright,<br>
# then see if it's a known attacking IP, then see if it is sending
at a high<br>
# rate and should be added to the list of known attacking IPs.<br>
/sbin/iptables -N QUERY-CHECK<br>
/sbin/iptables -A QUERY-CHECK -p udp -m string ! --string
"getstatus" --algo bm --from 32 --to 41 -j RETURN<br>
/sbin/iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP<br>
/sbin/iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP<br>
/sbin/iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP<br>
/sbin/iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP<br>
/sbin/iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP<br>
/sbin/iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP<br>
# is it already blocked? continue blocking it and update the
counter so it<br>
# gets blocked for at least another 30 seconds.<br>
/sbin/iptables -A QUERY-CHECK -m recent --update --name
blocked-hosts --seconds 30 --hitcount 1 -j DROP<br>
# check to see if it exceeds our rate threshold,<br>
# and add it to the list if it does.<br>
# /sbin/iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode
srcip --hashlimit-name getstatus --hashlimit-above 2/second -j
QUERY-BLOCK<br>
# CentOS 5 or CentOS 6 compatible<br>
/sbin/iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip
--hashlimit-name getstatus --hashlimit 2/s -j RETURN<br>
/sbin/iptables -A QUERY-CHECK -j QUERY-BLOCK<br>
# look at all the packets going to q3/cod*/et/etc servers <br>
# /sbin/iptables -A INPUT -p udp --dport 27960:29000 -j
QUERY-CHECK<br>
<div>/sbin/iptables -A INPUT -p udp --dport 27000:30000 -j
QUERY-CHECK<br>
</div>
<div><br>
</div>
<div> ./spamblock.bsh<br>
iptables: Chain already exists.<br>
iptables: Chain already exists.<br>
</div>
<div><br>
</div>
<div>iptables -L -n<br>
Chain INPUT (policy ACCEPT)<br>
target prot opt source destination<br>
QUERY-CHECK udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
udp dpts:27000:30000<br>
<br>
Chain FORWARD (policy ACCEPT)<br>
target prot opt source destination<br>
<br>
Chain OUTPUT (policy ACCEPT)<br>
target prot opt source destination<br>
<br>
Chain QUERY-BLOCK (1 references)<br>
target prot opt source destination<br>
DROP all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
recent: SET name: blocked-hosts side: source<br>
<br>
Chain QUERY-CHECK (1 references)<br>
target prot opt source destination<br>
RETURN udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
STRING match !"getstatus" ALGO name bm FROM 32 TO 41<br>
DROP udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
udp spts:0:1025<br>
DROP udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
udp spt:3074<br>
DROP udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
udp spt:7777<br>
DROP udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
udp spts:27015:27100<br>
DROP udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
udp spt:25200<br>
DROP udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
udp spt:25565<br>
DROP all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
recent: UPDATE seconds: 30 hit_count: 1 name: blocked-hosts
side: source<br>
RETURN all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
limit: up to 2/sec burst 5 mode srcip<br>
QUERY-BLOCK all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
</div>
<div><br>
</div>
<div>Should I be concerned with " iptables: Chain already
exists."? </div>
<br>
<br>
<div class="gmail_quote">On Thu, Feb 23, 2012 at 9:44 AM, Marco
Padovan <span dir="ltr"><<a href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <font size="-1"><font face="Verdana">sure, do it :)</font></font><br>
<br>
Il 23/02/2012 15:44, escapedturkey ha scritto:
<div>
<div>
<blockquote type="cite">
<div>I support most Q3 engine games. Some go beyond
the range specified in the original post.<br>
</div>
<div><br>
</div>
<div>Can I change:</div>
<div><br>
</div>
<div>iptables -A INPUT -p udp --dport 27960:29000 -j
QUERY-CHECK<br>
</div>
<div><br>
</div>
<div>To:</div>
<div><br>
</div>
<div>iptables -A INPUT -p udp --dport 27000:30000 -j
QUERY-CHECK<br>
</div>
<div><br>
</div>
<div>Or will that cause problems? </div>
<div><br>
</div>
<div>Ex: JK2 =28070 JA = 29070 </div>
<br>
<div class="gmail_quote">On Thu, Feb 23, 2012 at 9:30
AM, Marco Padovan <span dir="ltr"><<a href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <font size="-1"><font face="Verdana">Let us know if
that works ;)</font></font><br>
<br>
Il 23/02/2012 15:20, escapedturkey ha scritto:
<div>
<div>
<blockquote type="cite">Thank you. Much
appreciated. =)<br>
<br>
<div class="gmail_quote">On Thu, Feb 23,
2012 at 7:33 AM, Marco Padovan <span dir="ltr"><<a href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<font size="-1"><font face="Verdana">Ehm,<br>
nope :D<br>
<br>
You need all the lines John
posted:<br>
<br>
</font></font><a href="http://icculus.org/pipermail/cod/2012-January/015861.html" target="_blank">http://icculus.org/pipermail/cod/2012-January/015861.html</a><br>
<br>
To make it works in centos5 / 6
change into that ruleset:
<div><br>
iptables -A QUERY-CHECK -m
hashlimit --hashlimit-mode srcip
--hashlimit-name getstatus
--hashlimit-above 2/second -j
QUERY-BLOCK<br>
<font size="-1"><font face="Verdana"><br>
in this way (two different
lines):<br>
iptables -A QUERY-CHECK -m
hashlimit --hashlimit-mode
srcip --hashlimit-name
getstatus --hashlimit 2/s -j
RETURN<br>
iptables -A QUERY-CHECK -j
QUERY-BLOCK<br>
</font></font><br>
</div>
<font size="-1"><font face="Verdana">all
the other rules should be kept
as they are :)<br>
</font></font><br>
Il 23/02/2012 13:10, escapedturkey
ha scritto:
<div>
<div>
<blockquote type="cite">
<div>Thank you. I missed those
lines.<br>
</div>
<div><br>
</div>
<div>Here is what I have so
far:</div>
<div><br>
</div>
<div>/sbin/iptables -N
QUERY-BLOCK<br>
/sbin/iptables -A
QUERY-BLOCK -m recent --set
--name blocked-hosts -j DROP<br>
/sbin/iptables -A
QUERY-CHECK -m hashlimit
--hashlimit-mode srcip
--hashlimit-name getstatus
--hashlimit 2/s -j RETURN<br>
/sbin/iptables -A
QUERY-CHECK -j QUERY-BLOCK</div>
<div><br>
</div>
<div>Is this correct? </div>
<div><br>
</div>
<div>Thank you again. =)</div>
<br>
<div class="gmail_quote">On
Thu, Feb 23, 2012 at 5:32
AM, Marco Padovan <span dir="ltr"><<a href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <font size="-1"><font face="Verdana">did
you issued all the
other commands?<br>
<br>
like:<br>
<br>
</font></font>
<div>iptables -N
QUERY-BLOCK<br>
iptables -A
QUERY-BLOCK -m recent
--set --name
blocked-hosts -j DROP<br>
<br>
</div>
?<br>
<br>
Il 23/02/2012 03:54,
escapedturkey ha
scritto:
<div>
<div>
<blockquote type="cite">
<div>iptables
v1.4.7: Couldn't
load target
`QUERY-BLOCK':/lib64/xtables/libipt_QUERY-BLOCK.so:
cannot open
shared object
file: No such
file or
directory<br>
</div>
<div><br>
</div>
<div>Any ideas?</div>
<br>
<br>
<div class="gmail_quote">
On Wed, Feb 22,
2012 at 4:51 PM,
Marco Padovan <span dir="ltr"><<a href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<font size="-1"><font face="Verdana">on
centos5 and
centos6<br>
<br>
modifying this
line:<br>
</font></font>
<div>iptables
-A QUERY-CHECK
-m hashlimit
--hashlimit-mode
srcip
--hashlimit-name
getstatus
--hashlimit-above
2/second -j
QUERY-BLOCK<br>
</div>
<font size="-1"><font face="Verdana"><br>
in this way
(two different
lines):<br>
iptables -A
QUERY-CHECK -m
hashlimit
--hashlimit-mode
srcip
--hashlimit-name
getstatus
--hashlimit
2/s -j RETURN<br>
iptables -A
QUERY-CHECK -j
QUERY-BLOCK<br>
<br>
should mimic
the same
behaviour<br>
</font></font><br>
Il 22/02/2012
18:43, Geoff
Goas ha
scritto:
<div>
<div>
<blockquote type="cite">Hi,<br>
<br>
On CentOS 5.5,
<i style="font-family:courier new,monospace">--hashlimit-above</i>
is not a valid
option for the
"hashlimit"
match. Which
version of
iptables
introduces
this, and how
can I mimic
that same
ruleset with
the options
available to
me in version
1.3.5 of
iptables?<br>
<br>
Thanks,<br>
<br>
<div class="gmail_quote">On
Fri, Jan 20,
2012 at 7:51
PM, John <span dir="ltr"><<a href="mailto:lists.cod@nuclearfallout.net" target="_blank">lists.cod@nuclearfallout.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> On
1/20/2012 3:27
PM, Marco
Padovan wrote:
</div>
<blockquote type="cite"><font size="-1"><font face="Verdana">
<div>I was
referring to
dynamic
filtering
using -m
recent<br>
<br>
</div>
[not] to
manually
adding IPs O.o</font></font></blockquote>
<br>
Marco's right
about this.
The most
effective way
to prevent
effects from
these attacks
on Linux is to
use a
combination of
the "string",
"hashlimit",
and "recent"
modules. Done
right, the
solution is
mostly
automatic, so
you shouldn't
need to
manually add
IPs.<br>
<br>
These
commands, for
instance,
would block
external IPs
that send
queries at a
rate of
2/second or
higher:<br>
<br>
# add a host
to the banlist
and then drop
the packet.<br>
iptables -N
QUERY-BLOCK<br>
iptables -A
QUERY-BLOCK -m
recent --set
--name
blocked-hosts
-j DROP<br>
<br>
# is this a
query packet?
if so, block
commonly
attacked ports
outright, <br>
# then see if
it's a known
attacking IP,
then see if it
is sending at
a high<br>
# rate and
should be
added to the
list of known
attacking IPs.<br>
iptables -N
QUERY-CHECK<br>
iptables -A
QUERY-CHECK -p
udp -m string
! --string
"getstatus"
--algo bm
--from 32 --to
41 -j RETURN<br>
iptables -A
QUERY-CHECK -p
udp --sport
0:1025 -j DROP<br>
iptables -A
QUERY-CHECK -p
udp --sport
3074 -j DROP<br>
iptables -A
QUERY-CHECK -p
udp --sport
7777 -j DROP<br>
iptables -A
QUERY-CHECK -p
udp --sport
27015:27100 -j
DROP<br>
iptables -A
QUERY-CHECK -p
udp --sport
25200 -j DROP<br>
iptables -A
QUERY-CHECK -p
udp --sport
25565 -j DROP<br>
# is it
already
blocked?
continue
blocking it
and update the
counter so it<br>
# gets blocked
for at least
another 30
seconds.<br>
iptables -A
QUERY-CHECK -m
recent
--update
--name
blocked-hosts
--seconds 30
--hitcount 1
-j DROP<br>
# check to see
if it exceeds
our rate
threshold,<br>
# and add it
to the list if
it does.<br>
iptables -A
QUERY-CHECK -m
hashlimit
--hashlimit-mode
srcip
--hashlimit-name
getstatus
--hashlimit-above
2/second -j
QUERY-BLOCK<br>
<br>
# look at all
the packets
going to
q3/cod*/et/etc
servers<br>
iptables -A
INPUT -p udp
--dport
27960:29000 -j
QUERY-CHECK<br>
<br>
The "recent"
module makes
it possible to
block up to
100 IPs at
once with this
method (any
attackers
beyond this
would only be
rate-limited).
That number
can be raised
when the
module is
loaded, but I
haven't seen
100 attacks
happening at
once yet
(typically
it's maybe
5-20 at once).
You can see
blocked hosts
later by
looking at
/proc/net/xt_recent/blocked-hosts.<br>
<br>
(If you don't
have "recent",
you could get
away without
it -- just be
aware that
some of the
packets will
get through,
increasing
load on the
game server.
Without
"hashlimit",
you'd still
see an
advantage from
the port
checks, but
you'd need to
manually block
IPs that are
being hit on
other ports.
Without
"string",
you'd
similarly be
down to just
port checks,
and need to
take out the
other rules.)<span><font color="#888888"><br>
<br>
-John<br>
</font></span></div>
<br>
_______________________________________________<br>
cod mailing
list<br>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<i><b><font size="1"><span style="font-family:tahoma,sans-serif">Geoff Goas</span><br style="font-family:tahoma,sans-serif">
<span style="font-family:tahoma,sans-serif">Systems
Engineer</span></font></b></i><br>
<br>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing
list<br>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>EscapedTurkey.com
Billing and
Support<br>
</div>
<div><a href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>EscapedTurkey.com Billing
and Support<br>
</div>
<div><a href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>EscapedTurkey.com Billing and Support<br>
</div>
<div><a href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>EscapedTurkey.com Billing and Support<br>
</div>
<div><a href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>EscapedTurkey.com Billing and Support<br>
</div>
<div><a href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div></div></div>
<br>_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div>EscapedTurkey.com Billing and Support<br></div><div><a href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>