<div>I support most Q3 engine games. Some go beyond the range specified in the original post.<br></div><div><br></div><div>Can I change:</div><div><br></div><div>iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK<br>
</div><div><br></div><div>To:</div><div><br></div><div>iptables -A INPUT -p udp --dport 27000:30000 -j QUERY-CHECK<br></div><div><br></div><div>Or will that cause problems? </div><div><br></div><div>Ex: JK2 =28070 JA = 29070 </div>
<br><div class="gmail_quote">On Thu, Feb 23, 2012 at 9:30 AM, Marco Padovan <span dir="ltr">&lt;<a href="mailto:evcz@evcz.tk">evcz@evcz.tk</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <font size="-1"><font face="Verdana">Let us know if that works ;)</font></font><br>
    <br>
    Il 23/02/2012 15:20, escapedturkey ha scritto:
    <div><div class="h5"><blockquote type="cite">Thank you. Much appreciated. =)<br>
      <br>
      <div class="gmail_quote">On Thu, Feb 23, 2012 at 7:33 AM, Marco
        Padovan <span dir="ltr">&lt;<a href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>&gt;</span>
        wrote:<br>
        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div bgcolor="#FFFFFF" text="#000000"> <font size="-1"><font face="Verdana">Ehm,<br>
                nope :D<br>
                <br>
                You need all the lines John posted:<br>
                <br>
              </font></font><a href="http://icculus.org/pipermail/cod/2012-January/015861.html" target="_blank">http://icculus.org/pipermail/cod/2012-January/015861.html</a><br>
            <br>
            To make it works in centos5 / 6 change into that ruleset:
            <div><br>
              iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode
              srcip --hashlimit-name getstatus --hashlimit-above
              2/second -j QUERY-BLOCK<br>
              <font size="-1"><font face="Verdana"><br>
                  in this way (two different lines):<br>
                  iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode
                  srcip --hashlimit-name getstatus --hashlimit 2/s -j
                  RETURN<br>
                  iptables -A QUERY-CHECK -j QUERY-BLOCK<br>
                </font></font><br>
            </div>
            <font size="-1"><font face="Verdana">all the other rules
                should be kept as they are :)<br>
              </font></font><br>
            Il 23/02/2012 13:10, escapedturkey ha scritto:
            <div>
              <div>
                <blockquote type="cite">
                  <div>Thank you. I missed those lines.<br>
                  </div>
                  <div><br>
                  </div>
                  <div>Here is what I have so far:</div>
                  <div><br>
                  </div>
                  <div>/sbin/iptables -N QUERY-BLOCK<br>
                    /sbin/iptables -A QUERY-BLOCK -m recent --set --name
                    blocked-hosts -j DROP<br>
                    /sbin/iptables -A QUERY-CHECK -m hashlimit
                    --hashlimit-mode srcip --hashlimit-name getstatus
                    --hashlimit 2/s -j RETURN<br>
                    /sbin/iptables -A QUERY-CHECK -j QUERY-BLOCK</div>
                  <div><br>
                  </div>
                  <div>Is this correct? </div>
                  <div><br>
                  </div>
                  <div>Thank you again. =)</div>
                  <br>
                  <div class="gmail_quote">On Thu, Feb 23, 2012 at 5:32
                    AM, Marco Padovan <span dir="ltr">&lt;<a href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>&gt;</span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div bgcolor="#FFFFFF" text="#000000"> <font size="-1"><font face="Verdana">did you issued
                            all the other commands?<br>
                            <br>
                            like:<br>
                            <br>
                          </font></font>
                        <div>iptables -N QUERY-BLOCK<br>
                          iptables -A QUERY-BLOCK -m recent --set --name
                          blocked-hosts -j DROP<br>
                          <br>
                        </div>
                        ?<br>
                        <br>
                        Il 23/02/2012 03:54, escapedturkey ha scritto:
                        <div>
                          <div>
                            <blockquote type="cite">
                              <div>iptables v1.4.7: Couldn&#39;t load target
                                `QUERY-BLOCK&#39;:/lib64/xtables/libipt_QUERY-BLOCK.so:

                                cannot open shared object file: No such
                                file or directory<br>
                              </div>
                              <div><br>
                              </div>
                              <div>Any ideas?</div>
                              <br>
                              <br>
                              <div class="gmail_quote"> On Wed, Feb 22,
                                2012 at 4:51 PM, Marco Padovan <span dir="ltr">&lt;<a href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>&gt;</span>
                                wrote:<br>
                                <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                  <div bgcolor="#FFFFFF" text="#000000">
                                    <font size="-1"><font face="Verdana">on
                                        centos5 and centos6<br>
                                        <br>
                                        modifying this line:<br>
                                      </font></font>
                                    <div>iptables -A QUERY-CHECK -m
                                      hashlimit --hashlimit-mode srcip
                                      --hashlimit-name getstatus
                                      --hashlimit-above 2/second -j
                                      QUERY-BLOCK<br>
                                    </div>
                                    <font size="-1"><font face="Verdana"><br>
                                        in this way (two different
                                        lines):<br>
                                        iptables -A QUERY-CHECK -m
                                        hashlimit --hashlimit-mode srcip
                                        --hashlimit-name getstatus
                                        --hashlimit 2/s -j RETURN<br>
                                        iptables -A QUERY-CHECK -j
                                        QUERY-BLOCK<br>
                                        <br>
                                        should mimic the same behaviour<br>
                                      </font></font><br>
                                    Il 22/02/2012 18:43, Geoff Goas ha
                                    scritto:
                                    <div>
                                      <div>
                                        <blockquote type="cite">Hi,<br>
                                          <br>
                                          On CentOS 5.5, <i style="font-family:courier new,monospace">--hashlimit-above</i>
                                          is not a valid option for the
                                          &quot;hashlimit&quot; match. Which
                                          version of iptables introduces
                                          this, and how can I mimic that
                                          same ruleset with the options
                                          available to me in version
                                          1.3.5 of iptables?<br>
                                          <br>
                                          Thanks,<br>
                                          <br>
                                          <div class="gmail_quote">On
                                            Fri, Jan 20, 2012 at 7:51
                                            PM, John <span dir="ltr">&lt;<a href="mailto:lists.cod@nuclearfallout.net" target="_blank">lists.cod@nuclearfallout.net</a>&gt;</span>
                                            wrote:<br>
                                            <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                              <div bgcolor="#FFFFFF" text="#000000">
                                                <div> On 1/20/2012 3:27
                                                  PM, Marco Padovan
                                                  wrote: </div>
                                                <blockquote type="cite"><font size="-1"><font face="Verdana">
                                                      <div>I was
                                                        referring to
                                                        dynamic
                                                        filtering using
                                                        -m recent<br>
                                                        <br>
                                                      </div>
                                                      [not] to manually
                                                      adding IPs O.o</font></font></blockquote>
                                                <br>
                                                Marco&#39;s right about
                                                this. The most effective
                                                way to prevent effects
                                                from these attacks on
                                                Linux is to use a
                                                combination of the
                                                &quot;string&quot;, &quot;hashlimit&quot;,
                                                and &quot;recent&quot; modules.
                                                Done right, the solution
                                                is mostly automatic, so
                                                you shouldn&#39;t need to
                                                manually add IPs.<br>
                                                <br>
                                                These commands, for
                                                instance, would block
                                                external IPs that send
                                                queries at a rate of
                                                2/second or higher:<br>
                                                <br>
                                                # add a host to the
                                                banlist and then drop
                                                the packet.<br>
                                                iptables -N QUERY-BLOCK<br>
                                                iptables -A QUERY-BLOCK
                                                -m recent --set --name
                                                blocked-hosts -j DROP<br>
                                                <br>
                                                # is this a query
                                                packet? if so, block
                                                commonly attacked ports
                                                outright, <br>
                                                # then see if it&#39;s a
                                                known attacking IP, then
                                                see if it is sending at
                                                a high<br>
                                                # rate and should be
                                                added to the list of
                                                known attacking IPs.<br>
                                                iptables -N QUERY-CHECK<br>
                                                iptables -A QUERY-CHECK
                                                -p udp -m string !
                                                --string &quot;getstatus&quot;
                                                --algo bm --from 32 --to
                                                41 -j RETURN<br>
                                                iptables -A QUERY-CHECK
                                                -p udp --sport 0:1025 -j
                                                DROP<br>
                                                iptables -A QUERY-CHECK
                                                -p udp --sport 3074 -j
                                                DROP<br>
                                                iptables -A QUERY-CHECK
                                                -p udp --sport 7777 -j
                                                DROP<br>
                                                iptables -A QUERY-CHECK
                                                -p udp --sport
                                                27015:27100 -j DROP<br>
                                                iptables -A QUERY-CHECK
                                                -p udp --sport 25200 -j
                                                DROP<br>
                                                iptables -A QUERY-CHECK
                                                -p udp --sport 25565 -j
                                                DROP<br>
                                                # is it already blocked?
                                                continue blocking it and
                                                update the counter so it<br>
                                                # gets blocked for at
                                                least another 30
                                                seconds.<br>
                                                iptables -A QUERY-CHECK
                                                -m recent --update
                                                --name blocked-hosts
                                                --seconds 30 --hitcount
                                                1 -j DROP<br>
                                                # check to see if it
                                                exceeds our rate
                                                threshold,<br>
                                                # and add it to the list
                                                if it does.<br>
                                                iptables -A QUERY-CHECK
                                                -m hashlimit
                                                --hashlimit-mode srcip
                                                --hashlimit-name
                                                getstatus
                                                --hashlimit-above
                                                2/second -j QUERY-BLOCK<br>
                                                <br>
                                                # look at all the
                                                packets going to
                                                q3/cod*/et/etc servers<br>
                                                iptables -A INPUT -p udp
                                                --dport 27960:29000 -j
                                                QUERY-CHECK<br>
                                                <br>
                                                The &quot;recent&quot; module
                                                makes it possible to
                                                block up to 100 IPs at
                                                once with this method
                                                (any attackers beyond
                                                this would only be
                                                rate-limited). That
                                                number can be raised
                                                when the module is
                                                loaded, but I haven&#39;t
                                                seen 100 attacks
                                                happening at once yet
                                                (typically it&#39;s maybe
                                                5-20 at once). You can
                                                see blocked hosts later
                                                by looking at
                                                /proc/net/xt_recent/blocked-hosts.<br>
                                                <br>
                                                (If you don&#39;t have
                                                &quot;recent&quot;, you could get
                                                away without it -- just
                                                be aware that some of
                                                the packets will get
                                                through, increasing load
                                                on the game server.
                                                Without &quot;hashlimit&quot;,
                                                you&#39;d still see an
                                                advantage from the port
                                                checks, but you&#39;d need
                                                to manually block IPs
                                                that are being hit on
                                                other ports. Without
                                                &quot;string&quot;, you&#39;d
                                                similarly be down to
                                                just port checks, and
                                                need to take out the
                                                other rules.)<span><font color="#888888"><br>
                                                    <br>
                                                    -John<br>
                                                  </font></span></div>
                                              <br>
_______________________________________________<br>
                                              cod mailing list<br>
                                              <a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
                                              <a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
                                              <br>
                                            </blockquote>
                                          </div>
                                          <br>
                                          <br clear="all">
                                          <br>
                                          -- <br>
                                          <i><b><font size="1"><span style="font-family:tahoma,sans-serif">Geoff


                                                  Goas</span><br style="font-family:tahoma,sans-serif">
                                                <span style="font-family:tahoma,sans-serif">Systems


                                                  Engineer</span></font></b></i><br>
                                          <br>
                                          <br>
                                          <br>
                                          <pre>_______________________________________________
cod mailing list
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
                                        </blockquote>
                                      </div>
                                    </div>
                                  </div>
                                  <br>
_______________________________________________<br>
                                  cod mailing list<br>
                                  <a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
                                  <a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
                                  <br>
                                </blockquote>
                              </div>
                              <br>
                              <br clear="all">
                              <br>
                              -- <br>
                              <div>EscapedTurkey.com Billing and Support<br>
                              </div>
                              <div><a href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
                              <br>
                              <br>
                              <br>
                              <pre>_______________________________________________
cod mailing list
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
                            </blockquote>
                          </div>
                        </div>
                      </div>
                      <br>
                      _______________________________________________<br>
                      cod mailing list<br>
                      <a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
                      <a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
                      <br>
                    </blockquote>
                  </div>
                  <br>
                  <br clear="all">
                  <br>
                  -- <br>
                  <div>EscapedTurkey.com Billing and Support<br>
                  </div>
                  <div><a href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
                  <br>
                  <br>
                  <br>
                  <pre>_______________________________________________
cod mailing list
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
                </blockquote>
              </div>
            </div>
          </div>
          <br>
          _______________________________________________<br>
          cod mailing list<br>
          <a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
          <a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
          <br>
        </blockquote>
      </div>
      <br>
      <br clear="all">
      <br>
      -- <br>
      <div>EscapedTurkey.com Billing and Support<br>
      </div>
      <div><a href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
      <br>
      <br>
      
      <br>
      <pre>_______________________________________________
cod mailing list
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
    </blockquote>
  </div></div></div>

<br>_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div>EscapedTurkey.com Billing and Support<br></div><div><a href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>