[Mavrick4283]

Ok so i am writing this because i am tired of having to look at 40 different post to get the info i want. Also to clear up what the commands are and what they do.

Notes: I am using Debian 5 X64 for my examples thease commands should work on any Linux install that is using netfilter aka iptables.

FAQ:

Q: What is iptables?
A: Iptables is the interface used by administrators to interact with Netfilter modules. In another words it is the program you use to configure the built in firewall.

Q: I keep getting "iptables: command not found" or " access denied "
A: You are not root

Q: It does not work
A: Not rely a question, Yes this does work if you are having problems check your ip/ports and type iptables -L to see all your rules.

Q: XYZ plugin is not working after i configure iptables
A: The only plugins that can be effected by this are ones that use sockets or require external information like GameME or HLXstats. Make sure to add your log_serveraddress port to the allowed connections. Any any other ports required.(I will post more info as i get the needed info IE. what ports gameME uses)

Q: When i copied the commands they did not work
A: I am making this tut so you can set up your own rules i am not doing it for you. If you do not understand please ask do not say they do not work.

Q: How do i set this up on a shared host. IE rented servers
A: You can not, You have to have root access if you have a VPS or Dedicated server you should be good to go.

Note: If you are running a ubuntu server you can use UFW



Lets get started:

First off lets get a list of ports that we need to allow traffic and what protocol they use.

FTP 21 ( Rely FTP guys....)
SSH 22
MySql 3306
Steam Friends Service UDP 1200 1200
Steam Main UDP UDP 27000
Steam Main TCP TCP 27020 27039
Steam CyberCafe TCP 27040 27041
Steam Dedicated Server HLDS, SRCDS UDP 27015 27015
Steam Dedicated Server HLTV UDP 27020 27020
Steam SRCDS Rcon TCP 27015 27015

Now that we have our list of ports we can make the rules/chains the firewall will use to allow or drop traffic.

To start out we are going to clear all our old rules and recreate the default chains.

Code:

iptables -F
iptables -P INPUT   ACCEPT
iptables -P OUTPUT  ACCEPT
iptables -P FORWARD ACCEPT

-F = Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.
-P = Set the policy for the chain to the given target. See the section TARGETS for the legal targets. Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets.

Now we are going to allow all our need traffic.

Code:

# Accept anything from localhost
iptables -A INPUT -s 127.0.0.1/32 --jump ACCEPT

# FTP
iptables -A INPUT -p tcp --dport 21 --jump ACCEPT 

#SSH 
iptables -A INPUT -p tcp --dport ssh --jump ACCEPT 

#MySql
iptables -A INPUT -p tcp --dport 3306 --jump ACCEPT

#Steam Friends Service
iptables -A INPUT -p udp --dport 1200 --jump ACCEPT

#Steam Main UDP
iptables -A INPUT -p udp --dport 27000 --jump ACCEPT

#Steam Main TCP
iptables -A INPUT -p tcp --dport 27020 --jump ACCEPT
iptables -A INPUT -p tcp --dport 27039 --jump ACCEPT

#Steam Dedicated Server HLTV
iptables -A INPUT -p udp --dport 27020 --jump ACCEPT

#your server info go's here
iptables -A INPUT -p udp -d server-IP --dport server-port 

#allow rcon to thoes servers
iptables -A INPUT -p tcp -d server-ip --dport server-port --jump ACCEPT

#now to drop all other traffic :)
iptables -A INPUT -p tcp --dport 1:1023 --jump DROP 
iptables -A INPUT -p udp --dport 1:1023 --jump DROP

Now to break it down:

-A =Append one or more rules to the end of the selected chain. AkA adds the rule to the chain

-p = Protocol tcp, udp, icmp, or all

--dport = destination port :)

--jump = Tells the firewall what to do if the packet matches the rule

Now that is all great for a basic firewall but that does not help much with the DoS attack the still effects srcds...

To stop that we can use iptables in combo with another program called fail2ban. Fail2ban pronounced Fail 2 Ban reads logs and takes actions based on what it finds.

First we have to install

Code:

apt-get install fail2ban

or yum

Now just a little configuring

Create a file called srcdsdos.conf

Code:

nano /etc/fail2ban/filter.d/srcdsdos.conf

Now copy this in to the file ( credits to cmer for this line )

Code:

[Definition]

failregex= IPTABLES-FLOOD LENGTH (28|48): IN=eth0 OUT= MAC=[a-zA-F0-9:]+ SRC=<HOST> DST=([0-9]{1,3}\.?){4} LEN=28

Now open the jail.conf located in /etc/fail2ban/ and add

Code:

[srcdsdos]
enabled = true
port      = 27015,27025,27035 #put your SRCDS ports in here
protocol = udp
filter = srcdsdos
logpath = /var/log/messages.log
maxretry = 3
bantime = 6000

All that is left to do with fail2ban is restart it

Code:

/etc/init.d/fail2ban restart

Now just these rules to your iptables (credits once again to cmer)

Code:

# Creation channel rejection flood udp 28
iptables -N REJECT_FLOOD28
iptables -A REJECT_FLOOD28 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 28: ' --log-level info
iptables -A REJECT_FLOOD28 -j DROP

# Creation channel rejection flood udp 46
iptables -N REJECT_FLOOD46
iptables -A REJECT_FLOOD46 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 46: ' --log-level info
iptables -A REJECT_FLOOD46 -j DROP

iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28

iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46

Now if some one attacks you with the DoS exploit it will be stopped and logged in the fail2ban.log

These are just some of the things you can do with iptables for more info read the man pages here:http://linux.die.net/man/8/iptables

Credits:
http://linux.die.net/man/8/iptables - For a detailed explain of the commands

https://forums.alliedmods.net/member.php?u=51244 - For his fail2ban rules

http://en.wikipedia.org/wiki/Iptables - for the explanation of iptables

[Mavrick4283]

Please rate and if you want to see a tut on any thing els Linux or windows please ask

[Mavrick4283]

Move to Snippets and Tutorials please

[Rizla]

it is also worth pointing out that you can secure your box easier by changing from the default ports, i used to get loads of attempts to login on ssh over port 22, i changed port to a more obscure one and now don't get any at all.

[Mavrick4283]

Yes you can do that i was just showing how the firewall works even if you change the SSH port i would still be running a firewall to help prevent attacks. Also just changing the port SSH is running on does not make your box "Secure" just means that most automated scripts will not see it, The firewall can allow you to block port scans as well as limit the number of times some one can connect to your SSH or other services like FTP. But any ways you are correct in that changing the port of SSH it easier the setting up the firewall.

[Obsidian]

Denyhosts is worth a mention as well.

Also, ufw may be simpler for a newcomer to the server admin world to understand; it's a syntax sweetener for iptables, and much more straightforward to work with. I know there's quite a few tuts on Ubuntu's forums about it, so no need to go over it, just link to them.

[Rizla]

what i meant by changing the ports, obv you should still use a firewall, but it makes it more easy to secure.

[Mavrick4283]

Quote:

Originally Posted by Obsidian Denyhosts is worth a mention as well. Also, ufw may be simpler for a newcomer to the server admin world to understand; it's a syntax sweetener for iptables, and much more straightforward to work with. I know there's quite a few tuts on Ubuntu's forums about it, so no need to go over it, just link to them.

Ya UFW is great for new linux admins BUT it is only on Ubuntu by default. And it does not allow for some of the more complex rules. here is a list of things it can do

https://wiki.ubuntu.com/UncomplicatedFirewall

Also on that page is links to the manuals if you are using those versions of Ubuntu.

As for Denyhosts that is great for stopping people who keep attacking you but i rather just use iptables to only allow my IP to access SSH. I also have a port knocking set up just in case my ip changes.

I will add links to UFW to the tut for Ubuntu users tho thanks for the info.

Quote:

Originally Posted by Rizla what i meant by changing the ports, obv you should still use a firewall, but it makes it more easy to secure.

Like i said before changing to port just makes it so alot of automated scripts do not see SSH running on 22 but if they run a port scan they can still see the SSH banner. The best way to make SSH secure is the following.

• Use Protocol 2 ONLY
• Do not ForwardX11 unless you have a GUI installed (Should not on servers)
• Use AllowUsers
• Turn PAsswordAuthentication off
• Prevent Root Login
• Change Port

I would not allow external connections tell that is at least done there is more you can do with chroot and PAM. But that will keep most script kiddies out.

+ ?

[Rizla]

+ denyhosts has to allow the connection into the box first to see if its on the list of hosts to deny.

apf can drop it before that, iirc

[Mavrick4283]

Quote:

Originally Posted by Rizla + denyhosts has to allow the connection into the box first to see if its on the list of hosts to deny. apf can drop it before that, iirc

Ya i did not even think of that lol

BTW at the risk of sounding like a noob what does iirc mean