<div>Thank you. I missed those lines.<br></div><div><br></div><div>Here is what I have so far:</div><div><br></div><div>/sbin/iptables -N QUERY-BLOCK<br>/sbin/iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP<br>
/sbin/iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip --hashlimit-name getstatus --hashlimit 2/s -j RETURN<br>/sbin/iptables -A QUERY-CHECK -j QUERY-BLOCK</div><div><br></div><div>Is this correct? </div><div><br>
</div><div>Thank you again. =)</div><br><div class="gmail_quote">On Thu, Feb 23, 2012 at 5:32 AM, Marco Padovan <span dir="ltr">&lt;<a href="mailto:evcz@evcz.tk">evcz@evcz.tk</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <font size="-1"><font face="Verdana">did you issued all the other
        commands?<br>
        <br>
        like:<br>
        <br>
      </font></font><div class="im">iptables -N QUERY-BLOCK<br>
    iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP<br>
    <br></div>
    ?<br>
    <br>
    Il 23/02/2012 03:54, escapedturkey ha scritto:
    <div><div class="h5"><blockquote type="cite">
      <div>iptables v1.4.7: Couldn&#39;t load target
        `QUERY-BLOCK&#39;:/lib64/xtables/libipt_QUERY-BLOCK.so: cannot open
        shared object file: No such file or directory<br>
      </div>
      <div><br>
      </div>
      <div>Any ideas?</div>
      <br>
      <br>
      <div class="gmail_quote">
        On Wed, Feb 22, 2012 at 4:51 PM, Marco Padovan <span dir="ltr">&lt;<a href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>&gt;</span>
        wrote:<br>
        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div bgcolor="#FFFFFF" text="#000000"> <font size="-1"><font face="Verdana">on centos5 and centos6<br>
                <br>
                modifying this line:<br>
              </font></font>
            <div>iptables -A QUERY-CHECK -m hashlimit
              --hashlimit-mode srcip --hashlimit-name getstatus
              --hashlimit-above 2/second -j QUERY-BLOCK<br>
            </div>
            <font size="-1"><font face="Verdana"><br>
                in this way (two different lines):<br>
                iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode
                srcip --hashlimit-name getstatus --hashlimit 2/s -j
                RETURN<br>
                iptables -A QUERY-CHECK -j QUERY-BLOCK<br>
                <br>
                should mimic the same behaviour<br>
              </font></font><br>
            Il 22/02/2012 18:43, Geoff Goas ha scritto:
            <div>
              <div>
                <blockquote type="cite">Hi,<br>
                  <br>
                  On CentOS 5.5, <i style="font-family:courier new,monospace">--hashlimit-above</i> is not a valid
                  option for the &quot;hashlimit&quot; match. Which version of
                  iptables introduces this, and how can I mimic that
                  same ruleset with the options available to me in
                  version 1.3.5 of iptables?<br>
                  <br>
                  Thanks,<br>
                  <br>
                  <div class="gmail_quote">On Fri, Jan 20, 2012 at 7:51
                    PM, John <span dir="ltr">&lt;<a href="mailto:lists.cod@nuclearfallout.net" target="_blank">lists.cod@nuclearfallout.net</a>&gt;</span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div bgcolor="#FFFFFF" text="#000000">
                        <div> On 1/20/2012 3:27 PM, Marco Padovan wrote:
                        </div>
                        <blockquote type="cite"><font size="-1"><font face="Verdana">
                              <div>I was referring to dynamic filtering
                                using -m recent<br>
                                <br>
                              </div>
                              [not] to manually adding IPs O.o</font></font></blockquote>
                        <br>
                        Marco&#39;s right about this. The most effective way
                        to prevent effects from these attacks on Linux
                        is to use a combination of the &quot;string&quot;,
                        &quot;hashlimit&quot;, and &quot;recent&quot; modules. Done right,
                        the solution is mostly automatic, so you
                        shouldn&#39;t need to manually add IPs.<br>
                        <br>
                        These commands, for instance, would block
                        external IPs that send queries at a rate of
                        2/second or higher:<br>
                        <br>
                        # add a host to the banlist and then drop the
                        packet.<br>
                        iptables -N QUERY-BLOCK<br>
                        iptables -A QUERY-BLOCK -m recent --set --name
                        blocked-hosts -j DROP<br>
                        <br>
                        # is this a query packet? if so, block commonly
                        attacked ports outright, <br>
                        # then see if it&#39;s a known attacking IP, then
                        see if it is sending at a high<br>
                        # rate and should be added to the list of known
                        attacking IPs.<br>
                        iptables -N QUERY-CHECK<br>
                        iptables -A QUERY-CHECK -p udp -m string !
                        --string &quot;getstatus&quot; --algo bm --from 32 --to 41
                        -j RETURN<br>
                        iptables -A QUERY-CHECK -p udp --sport 0:1025 -j
                        DROP<br>
                        iptables -A QUERY-CHECK -p udp --sport 3074 -j
                        DROP<br>
                        iptables -A QUERY-CHECK -p udp --sport 7777 -j
                        DROP<br>
                        iptables -A QUERY-CHECK -p udp --sport
                        27015:27100 -j DROP<br>
                        iptables -A QUERY-CHECK -p udp --sport 25200 -j
                        DROP<br>
                        iptables -A QUERY-CHECK -p udp --sport 25565 -j
                        DROP<br>
                        # is it already blocked? continue blocking it
                        and update the counter so it<br>
                        # gets blocked for at least another 30 seconds.<br>
                        iptables -A QUERY-CHECK -m recent --update
                        --name blocked-hosts --seconds 30 --hitcount 1
                        -j DROP<br>
                        # check to see if it exceeds our rate threshold,<br>
                        # and add it to the list if it does.<br>
                        iptables -A QUERY-CHECK -m hashlimit
                        --hashlimit-mode srcip --hashlimit-name
                        getstatus --hashlimit-above 2/second -j
                        QUERY-BLOCK<br>
                        <br>
                        # look at all the packets going to
                        q3/cod*/et/etc servers<br>
                        iptables -A INPUT -p udp --dport 27960:29000 -j
                        QUERY-CHECK<br>
                        <br>
                        The &quot;recent&quot; module makes it possible to block
                        up to 100 IPs at once with this method (any
                        attackers beyond this would only be
                        rate-limited). That number can be raised when
                        the module is loaded, but I haven&#39;t seen 100
                        attacks happening at once yet (typically it&#39;s
                        maybe 5-20 at once). You can see blocked hosts
                        later by looking at
                        /proc/net/xt_recent/blocked-hosts.<br>
                        <br>
                        (If you don&#39;t have &quot;recent&quot;, you could get away
                        without it -- just be aware that some of the
                        packets will get through, increasing load on the
                        game server. Without &quot;hashlimit&quot;, you&#39;d still
                        see an advantage from the port checks, but you&#39;d
                        need to manually block IPs that are being hit on
                        other ports. Without &quot;string&quot;, you&#39;d similarly
                        be down to just port checks, and need to take
                        out the other rules.)<span><font color="#888888"><br>
                            <br>
                            -John<br>
                          </font></span></div>
                      <br>
                      _______________________________________________<br>
                      cod mailing list<br>
                      <a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
                      <a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
                      <br>
                    </blockquote>
                  </div>
                  <br>
                  <br clear="all">
                  <br>
                  -- <br>
                  <i><b><font size="1"><span style="font-family:tahoma,sans-serif">Geoff
                          Goas</span><br style="font-family:tahoma,sans-serif">
                        <span style="font-family:tahoma,sans-serif">Systems
                          Engineer</span></font></b></i><br>
                  <br>
                  <br>
                  <br>
                  <pre>_______________________________________________
cod mailing list
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
                </blockquote>
              </div>
            </div>
          </div>
          <br>
          _______________________________________________<br>
          cod mailing list<br>
          <a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
          <a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
          <br>
        </blockquote>
      </div>
      <br>
      <br clear="all">
      <br>
      -- <br>
      <div>EscapedTurkey.com Billing and Support<br>
      </div>
      <div><a href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
      <br>
      <br>
      
      <br>
      <pre>_______________________________________________
cod mailing list
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
    </blockquote>
  </div></div></div>

<br>_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div>EscapedTurkey.com Billing and Support<br></div><div><a href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>