In regards to destination matching, yes.<br><br><div class="gmail_quote">On Tue, Feb 28, 2012 at 11:28 AM, escapedturkey <span dir="ltr">&lt;<a href="mailto:escapedturkey@escapedturkey.com">escapedturkey@escapedturkey.com</a>&gt;</span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>The original script appears to cover the main IP address and all aliased IP addresses. Is this true?</div>

<div class="HOEnZb"><div class="h5"><div><br></div><br><div class="gmail_quote">On Tue, Feb 28, 2012 at 9:42 AM, Geoff Goas <span dir="ltr">&lt;<a href="mailto:gitman@gmail.com" target="_blank">gitman@gmail.com</a>&gt;</span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I wouldn&#39;t say that its decreasing the effectiveness... I was getting false positives when just using srcip mode because people (including myself) monitor all of the servers, so they get queried all at once. It still works just as great, blocking the abusers and letting the non-abusers query as much as they want.<br>

<br>Here are my CentOS rules (copied from /etc/sysconfig/iptables)...<br><br>-A INPUT -p udp -m udp --dport 27960:30000 -j QUERY-CHECK <br>-A QUERY-BLOCK -m recent --set --name blocked-hosts --rsource -j DROP <br>-A QUERY-CHECK -s <a href="http://208.100.38.104/29" target="_blank">208.100.38.104/29</a> -p udp -m udp -j RETURN <br>

-A QUERY-CHECK -s <a href="http://67.202.93.155/32" target="_blank">67.202.93.155/32</a> -p udp -m udp -j RETURN <br>-A QUERY-CHECK -p udp -m string ! --string &quot;getstatus&quot; --algo bm --from 31 --to 65535 -j RETURN <br>

-A QUERY-CHECK -p udp -m udp --sport 0:1025 -j DROP <br>

-A QUERY-CHECK -p udp -m udp --sport 3074 -j DROP <br>-A QUERY-CHECK -p udp -m udp --sport 4000 -j DROP <br>-A QUERY-CHECK -p udp -m udp --sport 7777 -j DROP <br>-A QUERY-CHECK -p udp -m udp --sport 9987 -j DROP <br>-A QUERY-CHECK -p udp -m udp --sport 15541 -j DROP <br>

-A QUERY-CHECK -p udp -m udp --sport 27005:27100 -j DROP <br>-A QUERY-CHECK -p udp -m udp --sport 25200 -j DROP <br>-A QUERY-CHECK -p udp -m udp --sport 25565 -j DROP <br>-A QUERY-CHECK -p udp -m udp --sport 45000 -j DROP <br>

-A QUERY-CHECK -p udp -m udp --sport 50000 -j DROP <br>-A QUERY-CHECK -m recent --update --seconds 30 --hitcount 1 --name blocked-hosts --rsource -j DROP <br>-A QUERY-CHECK -m hashlimit --hashlimit 2/sec --hashlimit-burst 10 --hashlimit-mode srcip,dstip --hashlimit-name getstatus --hashlimit-htable-expire 30000 -j RETURN <br>

-A QUERY-CHECK -j QUERY-BLOCK<br><br>Besides the changes already mentioned, I added a few more source ports that I saw were being used. My server IP&#39;s are <a href="http://208.100.38.104/29" target="_blank">208.100.38.104/29</a> and <a href="http://67.202.93.155/32" target="_blank">67.202.93.155/32</a> so those are excluded. I also bumped the hashlimit-burst from a default of 5 to 10, and modified the port range on the INPUT rule. Please note that if your --to and --from string matching is working already, then don&#39;t pay attention to my values. I&#39;m still not sure why 32 and 41 don&#39;t work...<div>

<div><br>

<br><div class="gmail_quote">On Tue, Feb 28, 2012 at 6:12 AM, Marco Padovan <span dir="ltr">&lt;<a href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

  <div bgcolor="#FFFFFF" text="#000000">

    <br>

    Why should you decrease the filter effectiveness?<br>

    <br>

    Iptables filtering works better then the patched binaries because it

    monitor all the servers on all the ports and all the ips....<br>

    <br>

    Il 28/02/2012 12:09, escapedturkey ha scritto:

    <div><div><blockquote type="cite">

      <div>Can you please share your changes? I assumed the rules would

        cover multiple IP aliases. This is incorrect?<br>

      </div>

      <div><br>

      </div>

      <div>Thanks. =)</div>

      <br>

      <div class="gmail_quote">On Tue, Feb 28, 2012 at 2:47 AM, Geoff

        Goas <span dir="ltr">&lt;<a href="mailto:gitman@gmail.com" target="_blank">gitman@gmail.com</a>&gt;</span>

        wrote:<br>

        <blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Well I can

          say the iptables rules have been running fantastically. I

          added a few tweaks such as not blocking the server&#39;s own set

          of IP&#39;s (there are quite a few internal queries going on), and

          also setting the hashlimit-mode to be based on source and

          destination IP since I have different server instances on

          different addresses, and I wanted a little more granularity to

          the matching. My ingress rates are still noticeably higher

          than they used to be, but at least the outbound bandwidth

          isn&#39;t being exploited anymore.<br>

          <br>

          Does anyone know the default value for

          hashlimit-htable-expire? I haven&#39;t been able to find it, so

          I&#39;ve manually set it to 30 seconds.

          <div>

            <div><br>

              <br>

              <div class="gmail_quote"><br>

                <blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

                  <div bgcolor="white" link="blue" vlink="purple" lang="NL">

                    <div>

                      <div>

                        <div>

                          <p class="MsoNormal">

                            On 02/24/2012 03:38 PM, River Hosting wrote:

                          </p>

                          <p class="MsoNormal"><span style="font-size:11pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:rgb(31,73,125)">Hello

                              again guys,</span></p>

                          <p class="MsoNormal"><span style="font-size:11pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:rgb(31,73,125)"> </span></p>

                          <p class="MsoNormal"><span style="font-size:11pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:rgb(31,73,125)">I

                              was adding some new rules into the

                              firewall and it looks like

                              the flooding has stopped!</span></p>

                          <p class="MsoNormal"><span style="font-size:11pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:rgb(31,73,125)"> </span></p>

                          <p class="MsoNormal"><span style="font-size:11pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:rgb(31,73,125)">Now

                              using;</span></p>

                          <p class="MsoNormal"><span style="font-size:11pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:rgb(31,73,125)">-

                              <i>serverark</i> (recently posted on this

                              list)</span></p>

                          <p class="MsoNormal"><span style="font-size:11pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:rgb(31,73,125)">-

                              <i>getstatus_ban.sh</i> (recently posted

                              aswell)</span></p>

                          <p class="MsoNormal"><span style="font-size:11pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:rgb(31,73,125)">-

                              <i>iptables</i></span></p>

                          <p class="MsoNormal"><span style="font-size:11pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:rgb(31,73,125)"> </span></p>

                          <p class="MsoNormal"><span style="font-size:11pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:rgb(31,73,125)">Since

                              this morning the traffic dropped from 6

                              Mbit/s to 45 Kb/s.</span></p>

                          <p class="MsoNormal"><span style="font-size:11pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:rgb(31,73,125)">When

                              filtering, shutting down all gameservers

                              running on your

                              box for about 24-48 hours may do the

                              trick. After that time just reboot them

                              and let the magic happen... :)</span></p>

                          <p class="MsoNormal"><span style="font-size:11pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:rgb(31,73,125)"> </span></p>

                          <p class="MsoNormal"><span style="font-size:11pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:rgb(31,73,125)"> </span></p>

                          <div>

                            <p class="MsoNormal"><span style="font-size:11pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:rgb(31,73,125)">Met

                                vriendelijke groeten,</span></p>

                            <p class="MsoNormal"><span style="font-size:11pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:rgb(31,73,125)">With

                                kind regards,<br>

                                <br>

                                Julian Maartens<br>

                                River Hosting<br>

                                <br>

                              </span><span style="font-size:11pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:gray"><a href="mailto:info@riverhosting.nl" target="_blank"><span style="color:gray;text-decoration:none">info@riverhosting.nl</span></a></span><span style="font-size:11pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:rgb(166,166,166)"><br>

                              </span><span style="font-size:11pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:gray"><a href="http://www.riverhosting.nl/" target="_blank"><span style="color:gray;text-decoration:none">http://www.riverhosting.nl</span></a></span></p>

                          </div>

                          <p class="MsoNormal"><span style="font-size:11pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:rgb(31,73,125)"> </span></p>

                          <div>

                            <div style="border-width:1pt medium medium;border-style:solid none none;border-color:rgb(181,196,223) -moz-use-text-color -moz-use-text-color;padding:3pt 0cm 0cm">

                              <p class="MsoNormal"><b><span style="font-size:10pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;;color:windowtext">Van:</span></b><span style="font-size:10pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;;color:windowtext">

                                  Marco Padovan [<a href="mailto:evcz@evcz.tk" target="_blank">mailto:evcz@evcz.tk</a>]

                                  <br>

                                  <b>Verzonden:</b> vrijdag 24 februari

                                  2012 14:05<br>

                                  <b>Aan:</b> Call of Duty server admin

                                  list.<br>

                                  <b>Onderwerp:</b> Re: [cod] CoD2 UDP

                                  flood</span></p>

                            </div>

                          </div>

                          <p class="MsoNormal"> </p>

                          <p class="MsoNormal"><span style="font-size:10pt;font-family:&quot;Verdana&quot;,&quot;sans-serif&quot;">You

can

                              either use the one you linked from

                              modsrepository or the more

                              &quot;complex&quot; one that was posted on this list</span><br>

                            <br>

                            Il 24/02/2012 14:03, <a href="mailto:david.lauriou@wanadoo.fr" target="_blank">david.lauriou@wanadoo.fr</a>

                            ha scritto: </p>

                          <div>

                            <p class="MsoNormal"><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">the

rules

                                is ?</span></p>

                          </div>

                          <div>

                            <p class="MsoNormal"> </p>

                          </div>

                          <blockquote style="border-width:medium medium medium 1.5pt;border-style:none none none solid;border-color:-moz-use-text-color -moz-use-text-color -moz-use-text-color black;padding:0cm 0cm 0cm 4pt;margin:5pt 0cm 5pt 3.75pt">

                            <div>

                              <p class="MsoNormal"><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">-----

Original

                                  Message ----- </span></p>

                            </div>

                            <div>

                              <p class="MsoNormal" style="background:none repeat scroll 0% 0% rgb(228,228,228)"><b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">From:</span></b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                  <a href="mailto:evcz@evcz.tk" title="evcz@evcz.tk" target="_blank">Marco

                                    Padovan</a> </span></p>

                            </div>

                            <div>

                              <p class="MsoNormal"><b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">To:</span></b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                  <a href="mailto:cod@icculus.org" title="cod@icculus.org" target="_blank">cod@icculus.org</a>

                                </span></p>

                            </div>

                            <div>

                              <p class="MsoNormal"><b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Sent:</span></b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                  Friday, February 24,

                                  2012 2:00 PM</span></p>

                            </div>

                            <div>

                              <p class="MsoNormal"><b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Subject:</span></b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                  Re: [cod] CoD2 UDP

                                  flood</span></p>

                            </div>

                            <div>

                              <p class="MsoNormal"> </p>

                            </div>

                            <p class="MsoNormal"><span style="font-size:10pt;font-family:&quot;Verdana&quot;,&quot;sans-serif&quot;">that

rule

                                is very basic.<br>

                                <br>

                                cod1, cod1.5, cod2 and cod4 all suffer

                                the same problem and are exploited in

                                the

                                same exact way.<br>

                                <br>

                                So an iptables that fixes the cod4

                                problem works also for cod2 and cod1<br>

                              </span><br>

                              Il 24/02/2012 13:51, <a href="mailto:david.lauriou@wanadoo.fr" target="_blank">david.lauriou@wanadoo.fr</a>

                              ha scritto: </p>

                            <div>

                              <p class="MsoNormal"><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">i&#39;ve

find

                                  this : <a href="http://wiki.modsrepository.com/index.php/Call_of_Duty_4:_Servers" target="_blank">http://wiki.modsrepository.com/index.php/Call_of_Duty_4:_Servers</a><br>

                                  <br>

                                  its for cod4 not for COD2 !</span></p>

                            </div>

                            <div>

                              <p class="MsoNormal"> </p>

                            </div>

                            <blockquote style="border-width:medium medium medium 1.5pt;border-style:none none none solid;border-color:-moz-use-text-color -moz-use-text-color -moz-use-text-color black;padding:0cm 0cm 0cm 4pt;margin:5pt 0cm 5pt 3.75pt">

                              <div>

                                <p class="MsoNormal"><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">-----

Original

                                    Message ----- </span></p>

                              </div>

                              <div>

                                <p class="MsoNormal" style="background:none repeat scroll 0% 0% rgb(228,228,228)"><b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">From:</span></b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                    <a href="mailto:evcz@evcz.tk" title="evcz@evcz.tk" target="_blank">Marco Padovan</a>

                                  </span></p>

                              </div>

                              <div>

                                <p class="MsoNormal"><b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">To:</span></b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                    <a href="mailto:cod@icculus.org" title="cod@icculus.org" target="_blank">cod@icculus.org</a>

                                  </span></p>

                              </div>

                              <div>

                                <p class="MsoNormal"><b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Sent:</span></b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                    Friday, February 24,

                                    2012 1:49 PM</span></p>

                              </div>

                              <div>

                                <p class="MsoNormal"><b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Subject:</span></b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                    Re: [cod] CoD2 UDP

                                    flood</span></p>

                              </div>

                              <div>

                                <p class="MsoNormal"> </p>

                              </div>

                              <p class="MsoNormal"><span style="font-size:10pt;font-family:&quot;Verdana&quot;,&quot;sans-serif&quot;">NO!<br>

                                  <br>

                                  Read the messages that got posted in

                                  the last 2 days...<br>

                                  <br>

                                  This should be a proper ruleset:<br>

                                </span><a href="http://icculus.org/pipermail/cod/2012-February/015927.html" target="_blank">http://icculus.org/pipermail/cod/2012-February/015927.html</a><br>

                                <br>

                                Il 24/02/2012 13:47, <a href="mailto:david.lauriou@wanadoo.fr" target="_blank">david.lauriou@wanadoo.fr</a>

                                ha scritto: </p>

                              <div>

                                <p class="MsoNormal"><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">like

this

                                    ?</span></p>

                              </div>

                              <div>

                                <p class="MsoNormal"> </p>

                              </div>

                              <div>

                                <pre>IPTABLES -A INPUT -p UDP -m length --length 42 -m recent --set --name getstatus_cod</pre>

                                <pre>IPTABLES -A INPUT -p UDP -m string --algo bm --string &quot;getstatus&quot; -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP</pre>

                              </div>

                              <blockquote style="border-width:medium medium medium 1.5pt;border-style:none none none solid;border-color:-moz-use-text-color -moz-use-text-color -moz-use-text-color black;padding:0cm 0cm 0cm 4pt;margin:5pt 0cm 5pt 3.75pt">

                                <div>

                                  <p class="MsoNormal"><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">-----

Original

                                      Message ----- </span></p>

                                </div>

                                <div>

                                  <p class="MsoNormal" style="background:none repeat scroll 0% 0% rgb(228,228,228)"><b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">From:</span></b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                      <a href="mailto:evcz@evcz.tk" title="evcz@evcz.tk" target="_blank">Marco Padovan</a>

                                    </span></p>

                                </div>

                                <div>

                                  <p class="MsoNormal"><b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">To:</span></b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                      <a href="mailto:cod@icculus.org" title="cod@icculus.org" target="_blank">Call of Duty

                                        server admin

                                        list.</a> </span></p>

                                </div>

                                <div>

                                  <p class="MsoNormal"><b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Sent:</span></b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                      Friday, February 24,

                                      2012 1:35 PM</span></p>

                                </div>

                                <div>

                                  <p class="MsoNormal"><b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Subject:</span></b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                      Re: [cod] CoD2 UDP

                                      flood</span></p>

                                </div>

                                <div>

                                  <p class="MsoNormal"> </p>

                                </div>

                                <p class="MsoNormal"><span style="font-size:10pt;font-family:&quot;Verdana&quot;,&quot;sans-serif&quot;">iptables

                                    rules</span><br>

                                  <br>

                                  Il 24/02/2012 13:28, <a href="mailto:david.lauriou@wanadoo.fr" target="_blank">david.lauriou@wanadoo.fr</a>

                                  ha scritto: </p>

                                <div>

                                  <p class="MsoNormal"><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">for

COD4

                                      what is the best method to remove

                                      udp Flooding exploit ?</span></p>

                                </div>

                                <div>

                                  <p class="MsoNormal"> </p>

                                </div>

                                <blockquote style="border-width:medium medium medium 1.5pt;border-style:none none none solid;border-color:-moz-use-text-color -moz-use-text-color -moz-use-text-color black;padding:0cm 0cm 0cm 4pt;margin:5pt 0cm 5pt 3.75pt">

                                  <div>

                                    <p class="MsoNormal"><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">-----

Original

                                        Message ----- </span></p>

                                  </div>

                                  <div>

                                    <p class="MsoNormal" style="background:none repeat scroll 0% 0% rgb(228,228,228)"><b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">From:</span></b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                        <a href="mailto:evcz@evcz.tk" title="evcz@evcz.tk" target="_blank">Marco Padovan</a>

                                      </span></p>

                                  </div>

                                  <div>

                                    <p class="MsoNormal"><b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">To:</span></b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                        <a href="mailto:cod@icculus.org" title="cod@icculus.org" target="_blank">Call of Duty

                                          server admin

                                          list.</a> </span></p>

                                  </div>

                                  <div>

                                    <p class="MsoNormal"><b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Sent:</span></b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                        Friday, February 24,

                                        2012 12:10 PM</span></p>

                                  </div>

                                  <div>

                                    <p class="MsoNormal"><b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Subject:</span></b><span style="font-size:10pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                        Re: [cod] CoD2 UDP

                                        flood</span></p>

                                  </div>

                                  <div>

                                    <p class="MsoNormal"> </p>

                                  </div>

                                  <p class="MsoNormal"><span style="font-size:10pt;font-family:&quot;Verdana&quot;,&quot;sans-serif&quot;">Be

aware

                                      that there are two different ways

                                      to talk about offset: packet

                                      offset

                                      (includes header) and payload

                                      offset</span> (does not include

                                    header)<br>

                                    <br>

                                    Il 24/02/2012 10:41, Geoff Goas ha

                                    scritto: </p>

                                  <p class="MsoNormal" style="margin-bottom:12pt">You&#39;re

                                    right, and I see my

                                    error. That is frustrating because I

                                    have no idea why it doesn&#39;t work

                                    with the

                                    offset specified then.</p>

                                  <div>

                                    <p class="MsoNormal">On Fri, Feb 24,

                                      2012 at 4:10 AM, Luca Farflame

                                      Fabbro &lt;<a href="mailto:farflame@cybergames.it" target="_blank">farflame@cybergames.it</a>&gt;

                                      wrote:</p>

                                    <div>

                                      <div>

                                        <p class="MsoNormal">Try this

                                          command</p>

                                      </div>

                                      <p class="MsoNormal">tcpdump -c 4

                                        -nnvvvXS dst port 28960 </p>

                                      <div>

                                        <p class="MsoNormal">where port

                                          is the port that you want to

                                          monitor</p>

                                      </div>

                                      <div>

                                        <p class="MsoNormal">should be

                                          something like</p>

                                      </div>

                                      <div>

                                        <p class="MsoNormal"> </p>

                                      </div>

                                      <div>

                                        <div>

                                          <p class="MsoNormal">       

                                            0x0000:  4500 002b 35b3

                                            0000 7511 179b b612 80ad

                                             E..+5...u.......</p>

                                        </div>

                                        <div>

                                          <p class="MsoNormal">       

                                            0x0010:  c0a8 010c 7012

                                            7120 0017 0000 ffff ffff

                                             ....p.q.........</p>

                                        </div>

                                        <div>

                                          <p class="MsoNormal">       

                                            0x0020:  6765 7473 7461

                                            7475 730a 0000 0000      

                                            getstatus.....</p>

                                        </div>

                                      </div>

                                      <div>

                                        <div>

                                          <div>

                                            <p class="MsoNormal"> </p>

                                          </div>

                                          <div>

                                            <p class="MsoNormal">On Feb

                                              24, 2012, at 9:54 AM,

                                              Geoff Goas wrote:</p>

                                          </div>

                                          <div>

                                            <div>

                                              <p class="MsoNormal"><br>

                                                <br>

                                                <br>

                                                <br>

                                              </p>

                                              <p class="MsoNormal" style="margin-bottom:12pt">That

                                                is strange, because if I

                                                use those values, it

                                                does not work. If I use

                                                &quot;--from 31&quot; alone, then

                                                it works. As soon as I

                                                change that to 32, it

                                                stops working. When I

                                                inspect the

                                                packets in Wireshark,

                                                the &quot;getstatus&quot; string

                                                starts at offset 48 if

                                                counting from 1. Would

                                                there be a way for

                                                iptables to print to log

                                                what it sees

                                                in the specified offset

                                                range?</p>

                                              <div>

                                                <p class="MsoNormal">On

                                                  Fri, Feb 24, 2012 at

                                                  3:28 AM, Luca Farflame

                                                  Fabbro &lt;<a href="mailto:farflame@cybergames.it" target="_blank">farflame@cybergames.it</a>&gt;

                                                  wrote:</p>

                                                <div>

                                                  <p class="MsoNormal">It

                                                    doesn&#39;t matter the

                                                    length of the

                                                    packet.  </p>

                                                  <div>

                                                    <p class="MsoNormal">That

                                                      rule will try to

                                                      find the string

                                                      &quot;gestatus&quot;

                                                      starting at

                                                      position 32 bytes

                                                      from start of

                                                      packet and

                                                      searching for it

                                                      at

                                                      maximum at

                                                      position 41.</p>

                                                  </div>

                                                  <div>

                                                    <p class="MsoNormal">The

                                                      Q3 protocol for

                                                      that command

                                                      expects the string

                                                      to be in

                                                      that range.</p>

                                                    <div>

                                                      <p class="MsoNormal"> </p>

                                                      <div>

                                                        <div>

                                                          <div>

                                                          <p class="MsoNormal">On

                                                          Feb 24, 2012,

                                                          at 1:11 AM,

                                                          Geoff Goas

                                                          wrote:</p>

                                                          </div>

                                                          <p class="MsoNormal"> </p>

                                                        </div>

                                                        <blockquote style="margin-top:5pt;margin-bottom:5pt">

                                                          <div>

                                                          <p class="MsoNormal" style="margin-bottom:12pt">Is the offset range of 32-41

                                                          based on a

                                                          60-byte

                                                          packet?</p>

                                                          <div>

                                                          <p class="MsoNormal">On

                                                          Thu, Feb 23,

                                                          2012 at 10:34

                                                          AM, Marco

                                                          Padovan &lt;<a href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>&gt;

                                                          wrote:</p>

                                                          <div>

                                                          <p class="MsoNormal" style="margin-bottom:12pt">iptables -A INPUT -p udp -m

                                                          string

                                                          --string

                                                          &quot;getstatus&quot;

                                                          --algo bm

                                                          --from 32 --to

                                                          41 -j DROP</p>

                                                          </div>

                                                          </div>

                                                          </div>

                                                          <div>

                                                          <p class="MsoNormal">--

                                                          <br>

                                                          <b><i><span style="font-size:7.5pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">Geoff

                                                          Goas<br>

                                                          Systems

                                                          Engineer</span></i></b><br>

                                                          <br>

_______________________________________________<br>

                                                          cod mailing

                                                          list<br>

                                                          <a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>

                                                          <a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></p>

                                                          </div>

                                                        </blockquote>

                                                      </div>

                                                      <p class="MsoNormal"> </p>

                                                    </div>

                                                  </div>

                                                </div>

                                                <p class="MsoNormal" style="margin-bottom:12pt"><br>

_______________________________________________<br>

                                                  cod mailing list<br>

                                                  <a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>

                                                  <a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></p>

                                              </div>

                                              <p class="MsoNormal"><br>

                                                <br clear="all">

                                                <br>

                                                -- <br>

                                                <b><i><span style="font-size:7.5pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">Geoff

                                                      Goas<br>

                                                      Systems Engineer</span></i></b><br>

                                                <br>

_______________________________________________<br>

                                                cod mailing list<br>

                                                <a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>

                                                <a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></p>

                                            </div>

                                            <p class="MsoNormal"> </p>

                                          </div>

                                        </div>

                                      </div>

                                    </div>

                                    <p class="MsoNormal" style="margin-bottom:12pt"><br>

_______________________________________________<br>

                                      cod mailing list<br>

                                      <a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>

                                      <a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></p>

                                  </div>

                                  <p class="MsoNormal"><br>

                                    <br clear="all">

                                    <br>

                                    -- <br>

                                    <b><i><span style="font-size:7.5pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">Geoff

                                          Goas<br>

                                          Systems Engineer</span></i></b><br>

                                    <br>

                                    <br>

                                    <br>

                                    <br>

                                    <br>

                                    <br>

                                  </p>

                                  <pre>_______________________________________________</pre>

                                  <pre>cod mailing list</pre>

                                  <pre><a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a></pre>

                                  <pre><a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></pre>

                                  <div class="MsoNormal" style="text-align:center" align="center">

                                    <hr size="2" width="100%" align="center">

                                  </div>

                                  <p class="MsoNormal">_______________________________________________<br>

                                    cod mailing list<br>

                                    <a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>

                                    <a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></p>

                                </blockquote>

                                <p class="MsoNormal"><br>

                                  <br>

                                  <br>

                                  <br>

                                  <br>

                                </p>

                                <pre>_______________________________________________</pre>

                                <pre>cod mailing list</pre>

                                <pre><a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a></pre>

                                <pre><a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></pre>

                                <div class="MsoNormal" style="text-align:center" align="center">

                                  <hr size="2" width="100%" align="center">

                                </div>

                                <p class="MsoNormal">_______________________________________________<br>

                                  cod mailing list<br>

                                  <a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>

                                  <a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></p>

                              </blockquote>

                              <p class="MsoNormal"><br>

                                <br>

                                <br>

                                <br>

                                <br>

                              </p>

                              <pre>_______________________________________________</pre>

                              <pre>cod mailing list</pre>

                              <pre><a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a></pre>

                              <pre><a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></pre>

                              <div class="MsoNormal" style="text-align:center" align="center">

                                <hr size="2" width="100%" align="center">

                              </div>

                              <p class="MsoNormal">_______________________________________________<br>

                                cod mailing list<br>

                                <a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>

                                <a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></p>

                            </blockquote>

                            <p class="MsoNormal"><br>

                              <br>

                              <br>

                              <br>

                              <br>

                            </p>

                            <pre>_______________________________________________</pre>

                            <pre>cod mailing list</pre>

                            <pre><a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a></pre>

                            <pre><a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></pre>

                            <div class="MsoNormal" style="text-align:center" align="center">

                              <hr size="2" width="100%" align="center">

                            </div>

                            <p class="MsoNormal">_______________________________________________<br>

                              cod mailing list<br>

                              <a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>

                              <a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></p>

                          </blockquote>

                          <p class="MsoNormal"><br>

                            <br>

                            <br>

                            <br>

                            <br>

                          </p>

                          <pre>_______________________________________________</pre>

                          <pre>cod mailing list</pre>

                          <pre><a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a></pre>

                          <pre><a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></pre>

                          <p class="MsoNormal"><br>

                            <br>

                            <br>

                            <br>

                          </p>

                          <pre>_______________________________________________</pre>

                          <pre>cod mailing list</pre>

                          <pre><a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a></pre>

                          <pre><a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></pre>

                          <p class="MsoNormal"><br>

                            <br>

                            <br>

                          </p>

                          <pre>_______________________________________________</pre>

                          <pre>cod mailing list</pre>

                          <pre><a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a></pre>

                          <pre><a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></pre>

                        </div>

                      </div>

                    </div>

                  </div>

                  <br>

                  _______________________________________________<br>

                  cod mailing list<br>

                  <a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>

                  <a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>

                  <br>

                </blockquote>

                <br>

              </div>

              <br>

              <br clear="all">

              <br>

              -- <br>

              <i><b><font size="1"><span style="font-family:tahoma,sans-serif">Geoff Goas</span><br style="font-family:tahoma,sans-serif">

                    <span style="font-family:tahoma,sans-serif">Systems

                      Engineer</span></font></b></i><br>

              <br>

            </div>

          </div>

          <br>

          _______________________________________________<br>

          cod mailing list<br>

          <a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>

          <a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>

          <br>

        </blockquote>

      </div>

      <br>

      <br clear="all">

      <br>

      -- <br>

      <div>EscapedTurkey.com Billing and Support<br>

      </div>

      <div><a href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>

      <br>

      <br>

      <br>

      <pre>_______________________________________________

cod mailing list

<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>

<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>

</pre>

    </blockquote>

  </div></div></div>

<br>_______________________________________________<br>

cod mailing list<br>

<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>

<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>

<br></blockquote></div><br><br clear="all"><br>-- <br><i><b><font size="1"><span style="font-family:tahoma,sans-serif">Geoff Goas</span><br style="font-family:tahoma,sans-serif"><span style="font-family:tahoma,sans-serif">Systems Engineer</span></font></b></i><br>

<br>

</div></div><br>_______________________________________________<br>

cod mailing list<br>

<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>

<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>

<br></blockquote></div><br><br clear="all"><br>-- <br><div>EscapedTurkey.com Billing and Support<br></div><div><a href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>

<br>

</div></div><br>_______________________________________________<br>

cod mailing list<br>

<a href="mailto:cod@icculus.org">cod@icculus.org</a><br>

<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>

<br></blockquote></div><br><br clear="all"><br>-- <br><i><b><font size="1"><span style="font-family:tahoma,sans-serif">Geoff Goas</span><br style="font-family:tahoma,sans-serif"><span style="font-family:tahoma,sans-serif">Systems Engineer</span></font></b></i><br>

<br>