Many Server Owners has this problem. Im running a community server aswell and we get attacked alot which results our servers wont be listed from CS:GO server browser.
I have been testing these rules for a while now and i thought why not share them :)
Before you insert these rules, make sure your current iptables isnt overwriting. Remember to replace "SERVERPORT" and dont edit iptables rules order.
Chain Filter-DROP:
- Drops the traffic. By using recent module it will now assign the matched traffic as "vse"
This chain wont continue reaching gameserver traffic before it has expired. The attackers IP will be dropped for 30 seconds, if it still spams, then reset timer.
Chain Filter-GAME:
- Filters traffic. Most of these rules if matched it will run Filter-DROP chain.
With that said, lets start!
Create Chains:
Quote:
iptables -N Filter-DROP
iptables -N Filter-GAME
|
Appends update rule and check if vse name is contained, lets drop VSE attack for 30 seconds. If IP continues then reset the timer.
Quote:
iptables -A INPUT -p udp -m udp --dport SERVERPORT -m recent --update --seconds 30 --hitcount 5 --name vse --mask 255.255.255.255 --rsource -j DROP
|
String Tsource Engine Query(A2S INFO) has passed, lets filter it.
Quote:
iptables -A INPUT -p udp -m udp --dport SERVERPORT -m string --hex-string "|ffffffff54|" --algo kmp --to 65535 -j Filter-GAME
|
Keep connections alive. We dont want iptables rules above alive! The attack will continue otherwise.
Quote:
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
Either whitelist rcon to a specific ip or allow all. I do REALLY recommend adding a whitelisted IP. To whitelist ip change "WHITELIST". If not, then remove "-s WHITELIST ". And yes the spacebar too!
Quote:
iptables -A INPUT -s WHITELIST -p tcp -m tcp --dport SERVERPORT -j ACCEPT
|
Traffic is filtered, lets accept them!
Quote:
iptables -A INPUT -p udp -m udp --dport SERVERPORT -j ACCEPT
|
This chain marks traffic with vse using iptables-recent module.
Quote:
iptables -A Filter-DROP -p udp -m udp -m recent --set --name vse --mask 255.255.255.255 --rsource -j DROP
|
Illegal traffic should never use our service ports from SERVERPORT's.
Quote:
iptables -A Filter-GAME -p udp -m udp --sport 0:1025 -j Filter-DROP
|
Drop Invalid UDP traffic and massive packet lengths.
Quote:
iptables -A Filter-GAME -p udp -m udp -m length --length 0:32 -j Filter-DROP
iptables -A Filter-GAME -p udp -m udp -m length --length 2521:65535 -j Filter-DROP
iptables -A Filter-GAME -p udp -m udp -m length --length 60 -j Filter-DROP
iptables -A Filter-GAME -p udp -m udp -m length --length 46 -j Filter-DROP
|
The attacker now hates us. We just appended a limitation for Tsource Engine Query attacks. If you are running a single server then change "--hashlimit-mode srcip,dstip,dstport" to "--hashlimit-mode srcip".
Quote:
iptables -A Filter-GAME -p udp -m udp -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip,dstport --hashlimit-name StopDoS --hashlimit-htable-expire 30000 -j Filter-DROP
|
Lets start traversing!
Quote:
iptables -A Filter-GAME -p udp -m udp -j RETURN
|
That was it!
If you want to test it out then head to server browser and spam your server with refresh button.
I have attached 2 images. It contains PROOF(
iptables -vnL) and a list of my current iptables with
iptables -S