Hardening SRCDS with iptables rules - Page 4

databomb · 03-14-2015 , 13:36 Re: Hardening SRCDS with iptables rules

Quote:

Originally Posted by unscarred

hello,
i use this rules, but now my server dont show in gametracker and gameMe, how i can fix ?
thanks.

See the note: "This is so sensitive that hitting 'Refresh' in the server browser window too often will trigger these rules"

Adjust these parameters accordingly to allow those types of queries.
--hashlimit 1/s --hashlimit-burst 3

Amroth · *Last edited by Amroth; 04-13-2015 at 16:46.*

Hey, anyone have a idea apply this rule to CSGO?

Quote:

I used to determine the maximum acceptable packet size:
Maximum Size = (`net_maxroutable`) + (`net_splitrate`) * (`net_maxfragments`)

I try to determine maximum packet size but its give me about 1441200

[SM] "net_maxroutable" is: 1200
[SM] "net_splitrate" is: 1
[SM] "net_maxfragments" is: 1200

Am I doing something wrong?

databomb · 04-13-2015 , 19:18 Re: Hardening SRCDS with iptables rules

Whoa there Amroth, leave Reverse Polish Notation calculators to the professionals!

Quote:

Originally Posted by Amroth

Hey, anyone have a idea apply this rule to CSGO?

I try to determine maximum packet size but its give me about 1441200

[SM] "net_maxroutable" is: 1200
[SM] "net_splitrate" is: 1
[SM] "net_maxfragments" is: 1200

Am I doing something wrong?

Amroth · 04-13-2015 , 19:41 Re: Hardening SRCDS with iptables rules

Haha sorry, got it. It was 2400.

bizzarre13 · 01-13-2016 , 03:35 Re: Hardening SRCDS with iptables rules

How can i block all countries except my country?
I receive ddos attacks from china,usa,brazil,rusia, etc

SilverLlama · 01-13-2016 , 04:29 Re: Hardening SRCDS with iptables rules

So how would the ideal iptables file look like for ports 27000-28000?

databomb · 01-13-2016 , 07:47 Re: Hardening SRCDS with iptables rules

Quote:

Originally Posted by SilverLlama

So how would the ideal iptables file look like for ports 27000-28000?

Only accept incoming traffic on a UDP port the server is listening on (default 27015).

databomb · 01-13-2016 , 07:49 Re: Hardening SRCDS with iptables rules

Quote:

Originally Posted by bizzarre13

How can i block all countries except my country?
I receive ddos attacks from china,usa,brazil,rusia, etc

There are many ways to do that and it's a common problem with trollers in the Eurozone. Just google that.. One site you could visit is https://www.ip2location.com/free/visitor-blocker .

But if you are receiving a large DDoS attack then there is no way to defend yourself. Your provider will upstream null-route you to ensure other customers have bandwidth available.

hajrullah · 10-10-2019 , 15:47 Re: Hardening SRCDS with iptables rules

Quote:

iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -p tcp --destination-port 27015 -j LOG --log-prefix "SRCDS-RCON " -m limit --limit 1/m --limit-burst 1
iptables -A INPUT -p tcp --destination-port 27015 -j DROP
iptables -A INPUT -p udp --destination-port 27015 -m length --length 0

2 -j LOG --log-prefix "SRCDS-XSQUERY " --log-ip-options -m limit --limit 1/m --limit-burst 1
iptables -A INPUT -p udp --destination-port 27015 -m length --length 0

2 -j DROP
iptables -A INPUT -p udp --destination-port 27015 -m length --length 2521:65535 -j LOG --log-prefix "SRCDS-XLFRAG " --log-ip-options -m limit --limit 1/m --limit-burst 1
iptables -A INPUT -p udp --destination-port 27015 -m length --length 2521:65535 -j DROP
iptables -A INPUT -p udp -m state --state ESTABLISH -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW -m hashlimit --hashlimit-mode srcip,dstport --hashlimit-name StopDoS --hashlimit 1/s --hashlimit-burst 3 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW -m hashlimit --hashlimit-mode srcip --hashlimit-name StopDoS --hashlimit 1/s --hashlimit-burst 3 -j ACCEPT
iptables -A INPUT -p udp -j LOG --log-prefix "UDP-SPAM " --log-ip-options -m limit --limit 1/m --limit-burst 1
iptables -A INPUT -p udp -j DROP

AFter i did add thos to my server (server stops crashing)
But hlstats and HLSW not working (rcon not working how to allow only my hlstatsX ip and rcon ip to those rules..
Thnx for this

**DarkDeviL** · 10-10-2019 , 18:17 Re: Hardening SRCDS with iptables rules

Quote:

Originally Posted by hajrullah

Code:

iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -p tcp --destination-port 27015 -j LOG --log-prefix "SRCDS-RCON " -m limit --limit 1/m --limit-burst 1
iptables -A INPUT -p tcp --destination-port 27015 -j DROP
iptables -A INPUT -p udp --destination-port 27015 -m length --length 0:32 -j LOG --log-prefix "SRCDS-XSQUERY " --log-ip-options -m limit --limit 1/m --limit-burst 1
iptables -A INPUT -p udp --destination-port 27015 -m length --length 0:32 -j DROP
iptables -A INPUT -p udp --destination-port 27015 -m length --length 2521:65535 -j LOG --log-prefix "SRCDS-XLFRAG " --log-ip-options -m limit --limit 1/m --limit-burst 1
iptables -A INPUT -p udp --destination-port 27015 -m length --length 2521:65535 -j DROP
iptables -A INPUT -p udp -m state --state ESTABLISH -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW -m hashlimit --hashlimit-mode srcip,dstport --hashlimit-name StopDoS --hashlimit 1/s --hashlimit-burst 3 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW -m hashlimit --hashlimit-mode srcip --hashlimit-name StopDoS --hashlimit 1/s --hashlimit-burst 3 -j ACCEPT
iptables -A INPUT -p udp -j LOG --log-prefix "UDP-SPAM " --log-ip-options -m limit --limit 1/m --limit-burst 1
iptables -A INPUT -p udp -j DROP

AFter i did add thos to my server (server stops crashing)
But hlstats and HLSW not working (rcon not working how to allow only my hlstatsX ip and rcon ip to those rules..
Thnx for this

iptables works the way that the first matching rule is the one that defines what happens, further queries down the road won't be considered.

So if you have a set of trusted IP addresses, let's say the following list:

- 192.168.123.241
- 10.43.88.0/24 (range from 10.43.88.0 to 10.43.88.255)
- 172.30.0.0/16 (172.30.0.0 - 172.30.255.255),

To add them as trusted, simply add:

Code:

iptables -A INPUT -p tcp -s 192.168.123.241 -j ACCEPT
iptables -A INPUT -p tcp -s 10.43.88.0/24  -j ACCEPT
iptables -A INPUT -p tcp -s 172.30.0.0/16 -j ACCEPT

On the the 6th line and forward, e.g.:

Code:

iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -A INPUT -p tcp -s 192.168.123.241 -j ACCEPT
iptables -A INPUT -p tcp -s 10.43.88.0/24  -j ACCEPT
iptables -A INPUT -p tcp -s 172.30.0.0/16 -j ACCEPT

[...]
all your other rules here
[...]

Be sure that you're not opening up too much here, but only add the individual IP addresses / *small* group of networks that you actually trust 100%.

If necessary, you can do the same rules once more, replacing "-p tcp" with "-p udp" to liften up UDP filters.

HLSW (at least in the past), is tied to the IP address of your own personal internet connection - the IP address you are browsing from, and typically likely very dynamic. In many cases today, ISP's run multiple behind one using Carrier Grade NAT.

As such, opening up 100% for the IP you're on from yourself, might also open up for your neighbours and others on the same ISP, and may be causing much more harm than good. So I wouldn't really suggest opening up for a normal residential connections.

Only do such white-listing with caution.