Raised This Month: $12 Target: $400
 3% 

Hardening SRCDS with iptables rules


Post New Thread Reply   
 
Thread Tools Display Modes
vn_lind
Member
Join Date: Jul 2017
Old 05-30-2021 , 02:07   Re: Hardening SRCDS with iptables rules
Reply With Quote #41

Quote:
Originally Posted by DarkDeviL View Post
iptables works the way that the first matching rule is the one that defines what happens, further queries down the road won't be considered.

So if you have a set of trusted IP addresses, let's say the following list:

- 192.168.123.241
- 10.43.88.0/24 (range from 10.43.88.0 to 10.43.88.255)
- 172.30.0.0/16 (172.30.0.0 - 172.30.255.255),

To add them as trusted, simply add:

Code:
iptables -A INPUT -p tcp -s 192.168.123.241 -j ACCEPT
iptables -A INPUT -p tcp -s 10.43.88.0/24  -j ACCEPT
iptables -A INPUT -p tcp -s 172.30.0.0/16 -j ACCEPT
On the the 6th line and forward, e.g.:

Code:
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -A INPUT -p tcp -s 192.168.123.241 -j ACCEPT
iptables -A INPUT -p tcp -s 10.43.88.0/24  -j ACCEPT
iptables -A INPUT -p tcp -s 172.30.0.0/16 -j ACCEPT

[...]
all your other rules here
[...]
Be sure that you're not opening up too much here, but only add the individual IP addresses / *small* group of networks that you actually trust 100%.

If necessary, you can do the same rules once more, replacing "-p tcp" with "-p udp" to liften up UDP filters.


HLSW (at least in the past), is tied to the IP address of your own personal internet connection - the IP address you are browsing from, and typically likely very dynamic. In many cases today, ISP's run multiple behind one using Carrier Grade NAT.

As such, opening up 100% for the IP you're on from yourself, might also open up for your neighbours and others on the same ISP, and may be causing much more harm than good. So I wouldn't really suggest opening up for a normal residential connections.

Only do such white-listing with caution.
hi,

this must be done for every port that you have server running on ?

Last edited by vn_lind; 05-30-2021 at 02:07.
vn_lind is offline
TomL.
Veteran Member
Join Date: Oct 2017
Location: Germany
Old 05-30-2021 , 10:01   Re: Hardening SRCDS with iptables rules
Reply With Quote #42

Quote:
Originally Posted by vn_lind View Post
hi,

this must be done for every port that you have server running on ?
He's talking about whistling ip addresses, not opening specific ports.
But yes if you want to allow only connections via specific ports you need to add all of the game transmission ports for each server/application.
TomL. is offline
vn_lind
Member
Join Date: Jul 2017
Old 05-30-2021 , 11:54   Re: Hardening SRCDS with iptables rules
Reply With Quote #43

Quote:
Originally Posted by TomL. View Post
He's talking about whistling ip addresses, not opening specific ports.
But yes if you want to allow only connections via specific ports you need to add all of the game transmission ports for each server/application.
i did that but my hlstatsx is not working :

it says :

TRCON: Cannot setup TCP socket on ip: Connection timed out

what can be the cause ?

i have allowed the stats ip

Code:
iptables -A INPUT -p tcp -s IP -j ACCEPT
Fixed but i still get flood ,, even with all this settings .....

in my log :

Code:
May 31 13:55:48  kernel: [137438.406925] SRCDS-XSQUERY IN=eno1.158 OUT= MAC=90:b1:1c:a4:8b:d9:68:05:ca:0d:ff:36:08:00 SRC=IP DST=IP LEN=37 TOS=0x00 PREC=0x00 TTL=121 ID=53211 PROTO=UDP SPT=7130 DPT=27018 LEN=17
how can i stop that ?

Last edited by vn_lind; 05-31-2021 at 06:59.
vn_lind is offline
vakilpaul2
New Member
Join Date: Jun 2021
Old 06-03-2021 , 06:11   Re: Hardening SRCDS with iptables rules
Reply With Quote #44

Hey when I try to enter iptables -A INPUT -p udp -m state --state NEW -m hashlimit --hashlimit-mode srcip --hashlimit-name StopDoS --hashlimit 1/s --hashlimit-burst 3 -j ACCEPT I get Unknown error 18446744073709551615 teatv hellodear.in

Last edited by vakilpaul2; 06-12-2021 at 05:03.
vakilpaul2 is offline
sapphonie
Junior Member
Join Date: Aug 2020
Location: ohio
Old 08-12-2021 , 03:13   Re: Hardening SRCDS with iptables rules
Reply With Quote #45

Hello, I wrote a script to automatically implement this (more or less)

It also works with servers using docker (which mine do)

https://github.com/CreatorsTF/srcds-...tables-docker/
__________________
she/her

Last edited by sapphonie; 08-12-2021 at 04:01.
sapphonie is offline
blaize
Junior Member
Join Date: Sep 2010
Old 11-09-2021 , 02:02   Re: Hardening SRCDS with iptables rules
Reply With Quote #46

Thank you sapphonie
I will try your script this evenening.
Yesterday a script kiddie dos'd my server and we were unabled to play.
Your work will be very precious
blaize is offline
blaize
Junior Member
Join Date: Sep 2010
Old 11-09-2021 , 13:50   Re: Hardening SRCDS with iptables rules
Reply With Quote #47

The script looks working, just needed to install net-tools in order to get the route command working.

Do I need to make something to have theses rules permanents after reboot ?

Thanks.
blaize is offline
blaize
Junior Member
Join Date: Sep 2010
Old 11-09-2021 , 15:20   Re: Hardening SRCDS with iptables rules
Reply With Quote #48

People are now timing out. I used the sapphonie script but it seem don't work out of the box

Edit: It look like udp-spam is triggered when players connect. Here is a hint from a line of /var/log/syslog :
<|srcds-ipt|> udp spam: IN=ens18 OUT= MAC=6e:72:b5:8e:ece:aa:e6:73:44:d6:c6:08:00 SRC=194.118.68.64 DST=192.168.0.112 LEN=74 TOS=0x00 PREC=0x00 TTL=113 ID=55803 PROTO=UDP SPT=49919 DPT=27018 LEN=54

my server is L4D2 on port 27018. Any help ?

Last edited by blaize; 11-09-2021 at 18:03.
blaize is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 18:11.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode