<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font size="-1"><font face="Verdana">sure, do it :)</font></font><br>
<br>
Il 23/02/2012 15:44, escapedturkey ha scritto:
<blockquote
cite="mid:CALCvV0zdyFDJSGGz7GvRJyLXvKrpGqbO8Zx+j_sYKVdZkTV0OQ@mail.gmail.com"
type="cite">
<div>I support most Q3 engine games. Some go beyond the range
specified in the original post.<br>
</div>
<div><br>
</div>
<div>Can I change:</div>
<div><br>
</div>
<div>iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK<br>
</div>
<div><br>
</div>
<div>To:</div>
<div><br>
</div>
<div>iptables -A INPUT -p udp --dport 27000:30000 -j QUERY-CHECK<br>
</div>
<div><br>
</div>
<div>Or will that cause problems? </div>
<div><br>
</div>
<div>Ex: JK2 =28070 JA = 29070 </div>
<br>
<div class="gmail_quote">On Thu, Feb 23, 2012 at 9:30 AM, Marco
Padovan <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:evcz@evcz.tk">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <font size="-1"><font
face="Verdana">Let us know if that works ;)</font></font><br>
<br>
Il 23/02/2012 15:20, escapedturkey ha scritto:
<div>
<div class="h5">
<blockquote type="cite">Thank you. Much appreciated. =)<br>
<br>
<div class="gmail_quote">On Thu, Feb 23, 2012 at 7:33
AM, Marco Padovan <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <font
size="-1"><font face="Verdana">Ehm,<br>
nope :D<br>
<br>
You need all the lines John posted:<br>
<br>
</font></font><a moz-do-not-send="true"
href="http://icculus.org/pipermail/cod/2012-January/015861.html"
target="_blank">http://icculus.org/pipermail/cod/2012-January/015861.html</a><br>
<br>
To make it works in centos5 / 6 change into that
ruleset:
<div><br>
iptables -A QUERY-CHECK -m hashlimit
--hashlimit-mode srcip --hashlimit-name
getstatus --hashlimit-above 2/second -j
QUERY-BLOCK<br>
<font size="-1"><font face="Verdana"><br>
in this way (two different lines):<br>
iptables -A QUERY-CHECK -m hashlimit
--hashlimit-mode srcip --hashlimit-name
getstatus --hashlimit 2/s -j RETURN<br>
iptables -A QUERY-CHECK -j QUERY-BLOCK<br>
</font></font><br>
</div>
<font size="-1"><font face="Verdana">all the
other rules should be kept as they are :)<br>
</font></font><br>
Il 23/02/2012 13:10, escapedturkey ha scritto:
<div>
<div>
<blockquote type="cite">
<div>Thank you. I missed those lines.<br>
</div>
<div><br>
</div>
<div>Here is what I have so far:</div>
<div><br>
</div>
<div>/sbin/iptables -N QUERY-BLOCK<br>
/sbin/iptables -A QUERY-BLOCK -m recent
--set --name blocked-hosts -j DROP<br>
/sbin/iptables -A QUERY-CHECK -m
hashlimit --hashlimit-mode srcip
--hashlimit-name getstatus --hashlimit
2/s -j RETURN<br>
/sbin/iptables -A QUERY-CHECK -j
QUERY-BLOCK</div>
<div><br>
</div>
<div>Is this correct? </div>
<div><br>
</div>
<div>Thank you again. =)</div>
<br>
<div class="gmail_quote">On Thu, Feb 23,
2012 at 5:32 AM, Marco Padovan <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:evcz@evcz.tk"
target="_blank">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<font size="-1"><font face="Verdana">did
you issued all the other
commands?<br>
<br>
like:<br>
<br>
</font></font>
<div>iptables -N QUERY-BLOCK<br>
iptables -A QUERY-BLOCK -m recent
--set --name blocked-hosts -j DROP<br>
<br>
</div>
?<br>
<br>
Il 23/02/2012 03:54, escapedturkey
ha scritto:
<div>
<div>
<blockquote type="cite">
<div>iptables v1.4.7: Couldn't
load target
`QUERY-BLOCK':/lib64/xtables/libipt_QUERY-BLOCK.so:
cannot open shared object
file: No such file or
directory<br>
</div>
<div><br>
</div>
<div>Any ideas?</div>
<br>
<br>
<div class="gmail_quote"> On
Wed, Feb 22, 2012 at 4:51
PM, Marco Padovan <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:evcz@evcz.tk"
target="_blank">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000"> <font
size="-1"><font
face="Verdana">on
centos5 and centos6<br>
<br>
modifying this line:<br>
</font></font>
<div>iptables -A
QUERY-CHECK -m
hashlimit
--hashlimit-mode srcip
--hashlimit-name
getstatus
--hashlimit-above
2/second -j
QUERY-BLOCK<br>
</div>
<font size="-1"><font
face="Verdana"><br>
in this way (two
different lines):<br>
iptables -A
QUERY-CHECK -m
hashlimit
--hashlimit-mode
srcip
--hashlimit-name
getstatus
--hashlimit 2/s -j
RETURN<br>
iptables -A
QUERY-CHECK -j
QUERY-BLOCK<br>
<br>
should mimic the
same behaviour<br>
</font></font><br>
Il 22/02/2012 18:43,
Geoff Goas ha scritto:
<div>
<div>
<blockquote
type="cite">Hi,<br>
<br>
On CentOS 5.5, <i
style="font-family:courier
new,monospace">--hashlimit-above</i>
is not a valid
option for the
"hashlimit" match.
Which version of
iptables
introduces this,
and how can I
mimic that same
ruleset with the
options available
to me in version
1.3.5 of iptables?<br>
<br>
Thanks,<br>
<br>
<div
class="gmail_quote">On
Fri, Jan 20,
2012 at 7:51 PM,
John <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:lists.cod@nuclearfallout.net"
target="_blank">lists.cod@nuclearfallout.net</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div
bgcolor="#FFFFFF"
text="#000000">
<div> On
1/20/2012 3:27
PM, Marco
Padovan wrote:
</div>
<blockquote
type="cite"><font
size="-1"><font
face="Verdana">
<div>I was
referring to
dynamic
filtering
using -m
recent<br>
<br>
</div>
[not] to
manually
adding IPs O.o</font></font></blockquote>
<br>
Marco's right
about this.
The most
effective way
to prevent
effects from
these attacks
on Linux is to
use a
combination of
the "string",
"hashlimit",
and "recent"
modules. Done
right, the
solution is
mostly
automatic, so
you shouldn't
need to
manually add
IPs.<br>
<br>
These
commands, for
instance,
would block
external IPs
that send
queries at a
rate of
2/second or
higher:<br>
<br>
# add a host
to the banlist
and then drop
the packet.<br>
iptables -N
QUERY-BLOCK<br>
iptables -A
QUERY-BLOCK -m
recent --set
--name
blocked-hosts
-j DROP<br>
<br>
# is this a
query packet?
if so, block
commonly
attacked ports
outright, <br>
# then see if
it's a known
attacking IP,
then see if it
is sending at
a high<br>
# rate and
should be
added to the
list of known
attacking IPs.<br>
iptables -N
QUERY-CHECK<br>
iptables -A
QUERY-CHECK -p
udp -m string
! --string
"getstatus"
--algo bm
--from 32 --to
41 -j RETURN<br>
iptables -A
QUERY-CHECK -p
udp --sport
0:1025 -j DROP<br>
iptables -A
QUERY-CHECK -p
udp --sport
3074 -j DROP<br>
iptables -A
QUERY-CHECK -p
udp --sport
7777 -j DROP<br>
iptables -A
QUERY-CHECK -p
udp --sport
27015:27100 -j
DROP<br>
iptables -A
QUERY-CHECK -p
udp --sport
25200 -j DROP<br>
iptables -A
QUERY-CHECK -p
udp --sport
25565 -j DROP<br>
# is it
already
blocked?
continue
blocking it
and update the
counter so it<br>
# gets blocked
for at least
another 30
seconds.<br>
iptables -A
QUERY-CHECK -m
recent
--update
--name
blocked-hosts
--seconds 30
--hitcount 1
-j DROP<br>
# check to see
if it exceeds
our rate
threshold,<br>
# and add it
to the list if
it does.<br>
iptables -A
QUERY-CHECK -m
hashlimit
--hashlimit-mode
srcip
--hashlimit-name
getstatus
--hashlimit-above
2/second -j
QUERY-BLOCK<br>
<br>
# look at all
the packets
going to
q3/cod*/et/etc
servers<br>
iptables -A
INPUT -p udp
--dport
27960:29000 -j
QUERY-CHECK<br>
<br>
The "recent"
module makes
it possible to
block up to
100 IPs at
once with this
method (any
attackers
beyond this
would only be
rate-limited).
That number
can be raised
when the
module is
loaded, but I
haven't seen
100 attacks
happening at
once yet
(typically
it's maybe
5-20 at once).
You can see
blocked hosts
later by
looking at
/proc/net/xt_recent/blocked-hosts.<br>
<br>
(If you don't
have "recent",
you could get
away without
it -- just be
aware that
some of the
packets will
get through,
increasing
load on the
game server.
Without
"hashlimit",
you'd still
see an
advantage from
the port
checks, but
you'd need to
manually block
IPs that are
being hit on
other ports.
Without
"string",
you'd
similarly be
down to just
port checks,
and need to
take out the
other rules.)<span><font
color="#888888"><br>
<br>
-John<br>
</font></span></div>
<br>
_______________________________________________<br>
cod mailing
list<br>
<a
moz-do-not-send="true"
href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a
moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<i><b><font
size="1"><span
style="font-family:tahoma,sans-serif">Geoff Goas</span><br
style="font-family:tahoma,sans-serif">
<span
style="font-family:tahoma,sans-serif">Systems
Engineer</span></font></b></i><br>
<br>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true"
href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>EscapedTurkey.com Billing
and Support<br>
</div>
<div><a moz-do-not-send="true"
href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true"
href="mailto:cod@icculus.org"
target="_blank">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>EscapedTurkey.com Billing and Support<br>
</div>
<div><a moz-do-not-send="true"
href="https://www.escapedturkey.com/helpdesk"
target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true"
href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>EscapedTurkey.com Billing and Support<br>
</div>
<div><a moz-do-not-send="true"
href="https://www.escapedturkey.com/helpdesk"
target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true" href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>EscapedTurkey.com Billing and Support<br>
</div>
<div><a moz-do-not-send="true"
href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</body>
</html>