Ok so i am writing this because i am tired of having to look at 40 different post to get the info i want. Also to clear up what the commands are and what they do.
Notes: I am using Debian 5 X64 for my examples thease commands should work on any Linux install that is using netfilter aka iptables.
FAQ:
Q: What is iptables?
A: Iptables is the interface used by administrators to interact with Netfilter modules. In another words it is the program you use to configure the built in firewall.
Q: I keep getting "iptables: command not found" or " access denied "
A: You are not root
Q: It does not work
A: Not rely a question, Yes this does work if you are having problems check your ip/ports and type iptables -L to see all your rules.
Q: XYZ plugin is not working after i configure iptables
A: The only plugins that can be effected by this are ones that use sockets or require external information like GameME or HLXstats. Make sure to add your log_serveraddress port to the allowed connections. Any any other ports required.(I will post more info as i get the needed info IE. what ports gameME uses)
Q: When i copied the commands they did not work
A: I am making this tut so you can set up your own rules i am not doing it for you. If you do not understand please ask do not say they do not work.
Q: How do i set this up on a shared host. IE rented servers
A: You can not, You have to have root access if you have a VPS or Dedicated server you should be good to go.
Note: If you are running a ubuntu server you can use
UFW
Lets get started:
First off lets get a list of ports that we need to allow traffic and what protocol they use.
FTP 21 ( Rely FTP guys....)
SSH 22
MySql 3306
Steam Friends Service UDP 1200 1200
Steam Main UDP UDP 27000
Steam Main TCP TCP 27020 27039
Steam CyberCafe TCP 27040 27041
Steam Dedicated Server HLDS, SRCDS UDP 27015 27015
Steam Dedicated Server HLTV UDP 27020 27020
Steam SRCDS Rcon TCP 27015 27015
Now that we have our list of ports we can make the rules/chains the firewall will use to allow or drop traffic.
To start out we are going to clear all our old rules and recreate the default chains.
Code:
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
-F = Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.
-P = Set the policy for the chain to the given target. See the section TARGETS for the legal targets. Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets.
Now we are going to allow all our need traffic.
Code:
# Accept anything from localhost
iptables -A INPUT -s 127.0.0.1/32 --jump ACCEPT
# FTP
iptables -A INPUT -p tcp --dport 21 --jump ACCEPT
#SSH
iptables -A INPUT -p tcp --dport ssh --jump ACCEPT
#MySql
iptables -A INPUT -p tcp --dport 3306 --jump ACCEPT
#Steam Friends Service
iptables -A INPUT -p udp --dport 1200 --jump ACCEPT
#Steam Main UDP
iptables -A INPUT -p udp --dport 27000 --jump ACCEPT
#Steam Main TCP
iptables -A INPUT -p tcp --dport 27020 --jump ACCEPT
iptables -A INPUT -p tcp --dport 27039 --jump ACCEPT
#Steam Dedicated Server HLTV
iptables -A INPUT -p udp --dport 27020 --jump ACCEPT
#your server info go's here
iptables -A INPUT -p udp -d server-IP --dport server-port
#allow rcon to thoes servers
iptables -A INPUT -p tcp -d server-ip --dport server-port --jump ACCEPT
#now to drop all other traffic :)
iptables -A INPUT -p tcp --dport 1:1023 --jump DROP
iptables -A INPUT -p udp --dport 1:1023 --jump DROP
Now to break it down:
-A =Append one or more rules to the end of the selected chain. AkA adds the rule to the chain
-p = Protocol tcp, udp, icmp, or all
--dport = destination port :)
--jump = Tells the firewall what to do if the packet matches the rule
Now that is all great for a basic firewall but that does not help much with the DoS attack the still effects srcds...
To stop that we can use iptables in combo with another program called fail2ban. Fail2ban pronounced Fail 2 Ban reads logs and takes actions based on what it finds.
First we have to install
Code:
apt-get install fail2ban
or yum
Now just a little configuring
Create a file called srcdsdos.conf
Code:
nano /etc/fail2ban/filter.d/srcdsdos.conf
Now copy this in to the file ( credits to cmer for this line )
Code:
[Definition]
failregex= IPTABLES-FLOOD LENGTH (28|48): IN=eth0 OUT= MAC=[a-zA-F0-9:]+ SRC=<HOST> DST=([0-9]{1,3}\.?){4} LEN=28
Now open the jail.conf located in /etc/fail2ban/ and add
Code:
[srcdsdos]
enabled = true
port = 27015,27025,27035 #put your SRCDS ports in here
protocol = udp
filter = srcdsdos
logpath = /var/log/messages.log
maxretry = 3
bantime = 6000
All that is left to do with fail2ban is restart it
Code:
/etc/init.d/fail2ban restart
Now just these rules to your iptables (credits once again to cmer)
Code:
# Creation channel rejection flood udp 28
iptables -N REJECT_FLOOD28
iptables -A REJECT_FLOOD28 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 28: ' --log-level info
iptables -A REJECT_FLOOD28 -j DROP
# Creation channel rejection flood udp 46
iptables -N REJECT_FLOOD46
iptables -A REJECT_FLOOD46 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 46: ' --log-level info
iptables -A REJECT_FLOOD46 -j DROP
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46
Now if some one attacks you with the DoS exploit it will be stopped and logged in the fail2ban.log
These are just some of the things you can do with iptables for more info read the man pages here:
http://linux.die.net/man/8/iptables
Credits:
http://linux.die.net/man/8/iptables - For a detailed explain of the commands
https://forums.alliedmods.net/member.php?u=51244 - For his fail2ban rules
http://en.wikipedia.org/wiki/Iptables - for the explanation of iptables
Threaded Mode