[pimpmyname]

Last year there was a update that messed up A2S queries and i found a fix for it:

Create chains:

iptables -N Filter-DROP
iptables -N Filter-GAME

(EDIT)
# Appends update rule and check if vse name is contained, lets drop VSE attack for 30 seconds. If IP continues then reset the timer. Make sure this is in the top of the iptables:
-A INPUT -p udp -m udp -m recent --dport SERVERPORT --update --seconds 30 --hitcount 5 --name vse --mask 255.255.255.255 --rsource -j DROP

# String Tsource Engine Query(A2S INFO) has passed, lets filter it:
-A INPUT -p udp -m udp -m string --dport SERVERPORT --hex-string "|ffffffff54|" --algo kmp -j Filter-GAME

# Block service ports:
-A Filter-GAME -p udp -m udp --sport 0:1023 -j Filter-DROP

# A2S attack prevention. If you are running a single server then change "--hashlimit-mode srcip,dstip,dstport" to "--hashlimit-mode srcip
-A Filter-GAME -p udp -m udp -m hashlimit --hashlimit-name StopDoS --hashlimit-mode srcip,dstport --hashlimit-above 8/sec --hashlimit-burst 16/sec -j Filter-DROP

# Exit Filter-GAME Chain
-A Filter-GAME -p udp -m udp -j RETURN

# Set recent name vse and go to "Matched VSE drop" rule:
-A Filter-DROP -p udp -m udp -m recent--set --name vse -j DROP

# After the serverport is filtered, lets open the serverport
-A INPUT -p udp -m udp --dport SERVERPORT -j ACCEPT



And try these aswell:
sv_max_queries_sec 5
sv_max_queries_sec_global 10
sv_max_queries_window 10


The hashlimit is the main cause with the issues you're experiencing. If it didnt work, then try changing:
--hashlimit-above 8/sec --hashlimit-burst 16/sec to lower values like:
--hashlimit-above 7/sec --hashlimit-burst 14/sec
--hashlimit-above 6/sec --hashlimit-burst 12/sec
--hashlimit-above 5/sec --hashlimit-burst 10/sec

But just remember.. If you lower the values keep an eye on the server and see if people's connection times out. You can monitor dropped traffic with "watch -n1 iptables -vnL".