Firewall Linux. (protect your CSS server)

MorgenDavid · **Author**

This is my custom firewall i use for my CSS server.

Code:

Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere /* Accepte Interface locale */
2 DROP all -- anywhere anywhere state INVALID /* Protection Packet non valide */
3 fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh /* Fail2Ban Rules */
4 DROP icmp -- anywhere anywhere icmp echo-request length 128:65535
5 ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 4/sec burst 8
6 ACCEPT icmp -- anywhere anywhere icmp echo-reply limit: avg 4/sec burst 8
7 DROP icmp -- anywhere anywhere
8 DROP tcp -- anywhere anywhere recent: UPDATE seconds: 21600 name: w00tlist side: source
9 w00t tcp -- anywhere anywhere
10 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED /* Accepte les Conn etablie */
11 DROP udp -- anywhere anywhere multiport dports 27014:27020 length 0:32 /* CSS: Rejette les packets trop petit */
12 DROP udp -- anywhere anywhere multiport dports 27014:27020 length 2521:65535 /* CSS: Rejette les packets trop grand */
13 ACCEPT udp -- anywhere anywhere multiport dports 27014:27020 state NEW limit: up to 1/sec burst 3 mode srcip-dstport
14 DROP udp -- anywhere anywhere multiport dports 27014:27020 /* CSS: Protection flood UDP */
15 DROP all -- anywhere anywhere PKTTYPE = broadcast /* No BroadCast */
16 DROP all -- anywhere anywhere PKTTYPE = multicast /* No MultiCast */
17 PORTSCAN all -- anywhere anywhere /* Protection Scan */
18 SPOOFED all -- anywhere anywhere /* Protection IP SPOOFED */
19 DROP tcp -- anywhere anywhere tcpflags:! FIN,SYN,RST,PSH,ACK,URG/SYN state NEW /* Protection TCP non Syn */
20 syn-flood tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN /* Protection Syn Flood */
21 udp-flood udp -- anywhere anywhere multiport dports 27014:27020 /* Protection UDP Flood */
22 DROP tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn /* Protection NetBios */
23 DROP all -- anywhere anywhere source IP range 91.212.226.0-91.212.226.255 /* Russe */
24 DROP all -- anywhere anywhere source IP range 80.237.56.0-80.237.63.255 /* Russe 2 */
25 DROP all -- anywhere anywhere source IP range 114.200.0.0-114.207.255.255 /* Coree du Sud */
26 DROP all -- anywhere anywhere source IP range 122.164.128.0-122.164.191.255 /* Inde */
27 DROP all -- anywhere anywhere source IP range 183.0.0.0-183.63.255.255 /* Chine */
28 DROP all -- 118-160-0-0.dynamic.hinet.net/13 anywhere /* Taiwan */
29 DROP all -- 187.103.96.0/19 anywhere /* Bresil */
30 LOG_DROP all -- ARouen-652-1-369-219.w90-17.abo.wanadoo.fr anywhere /* Cali */
31 LOG_DROP all -- ip-150.net-89-3-63.rev.numericable.fr anywhere /* Cheater CALI GE */
32 LOG all -- anywhere anywhere /* LOG pour psad */ LOG level warning

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 LOG all -- anywhere anywhere /* LOG pour psad */ LOG level warning

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere state NEW,ESTABLISHED /* Marquage du traffic UDP */
2 ACCEPT all -- anywhere anywhere /* Accepte tous traffic sortant */

Chain LOG_DROP (2 references)
num target prot opt source destination
1 LOG all -- anywhere anywhere limit: avg 6/hour burst 1 LOG level warning tcp-options prefix "Drop Res/Ban address: "
2 DROP all -- anywhere anywhere

Chain PORTSCAN (1 references)
num target prot opt source destination
1 DROP tcp -- anywhere anywhere tcpflags: FIN,ACK/FIN /* Fin Packets Scan */
2 DROP tcp -- anywhere anywhere tcpflags: PSH,ACK/PSH
3 DROP tcp -- anywhere anywhere tcpflags: ACK,URG/URG
4 DROP tcp -- anywhere anywhere tcpflags: FIN,RST/FIN,RST
5 DROP tcp -- anywhere anywhere tcpflags: FIN,SYN/FIN,SYN /* XMAS Packets */
6 DROP tcp -- anywhere anywhere tcpflags: SYN,RST/SYN,RST
7 DROP tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG /* XMAS Packets */
8 DROP tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/NONE /* NULL Packets */
9 DROP tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
10 DROP tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,PSH,URG
11 DROP tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG

Chain SPOOFED (1 references)
num target prot opt source destination
1 DROP all -- loopback/8 anywhere
2 DROP all -- link-local/16 anywhere
3 DROP all -- 172.16.0.0/12 anywhere
4 DROP all -- 192.0.2.0/24 anywhere
5 DROP all -- 192.168.0.0/16 anywhere
6 DROP all -- localnet/8 anywhere
7 DROP all -- base-address.mcast.net/4 anywhere
8 DROP all -- 240.0.0.0/4 anywhere
9 RETURN all -- anywhere anywhere

Chain fail2ban-ssh (1 references)
num target prot opt source destination
1 RETURN all -- anywhere anywhere

Chain syn-flood (1 references)
num target prot opt source destination
1 RETURN all -- anywhere anywhere limit: avg 1/sec burst 4
2 DROP all -- anywhere anywhere

Chain udp-flood (1 references)
num target prot opt source destination
1 RETURN all -- anywhere anywhere limit: avg 48/sec burst 48
2 DROP all -- anywhere anywhere

Chain w00t (1 references)
num target prot opt source destination
1 tcp -- anywhere anywhere recent: SET name: DEFAULT side: source tcp dpt:httpflags: FIN,SYN,RST,ACK/SYN
2 tcp -- anywhere anywhere recent: UPDATE name: DEFAULT side: source tcp spt:httpflags: SYN,PSH,ACK/SYN,ACK
3 tcp -- anywhere anywhere recent: UPDATE name: DEFAULT side: source tcp dpt:httpflags: SYN,PSH,ACK/ACK
4 w00tchain tcp -- anywhere anywhere recent: REMOVE name: DEFAULT side: source tcp dpt:httpflags: PSH,ACK/PSH,ACK STRING match "|485454502f312e310d0a0d0a|" ALGO name bm TO 80

Chain w00tchain (1 references)
num target prot opt source destination
1 REJECT tcp -- anywhere anywhere recent: SET name: w00tlist side: source reject-with tcp-reset

hope you like it ;)

Russianeer · *Last edited by Russianeer; 09-12-2012 at 20:49.*

Why would you drop New York? I know it's commented out, but you had it there in the first place.

MorgenDavid · 09-12-2012 , 21:20 Re: Firewall Linux. (protect your CSS server)

Quote:

Originally Posted by Russianeer

Why would you drop New York? I know it's commented out, but you had it there in the first place.

Why ?.... Hummm..... Why not ?

i don't need/want people from some regions.

feel free to change what you want

Russianeer · 09-12-2012 , 21:50 Re: Firewall Linux. (protect your CSS server)

Quote:

Originally Posted by MorgenDavid

Why ?.... Hummm..... Why not ?

i don't need/want people from some regions.

feel free to change what you want

I wasn't trying to prevent you from blocking anyone, I was rather curious.

MorgenDavid · 09-13-2012 , 13:31 Re: Firewall Linux. (protect your CSS server)

New version 1.6.
More and more effective.

C0nw0nk · *Last edited by C0nw0nk; 09-13-2012 at 18:18.*

I recommend dropping all icmp requests see the post in my signature for references of packet types to firewall.

4 DROP icmp -- anywhere anywhere icmp echo-request length 128:65535 5 ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 4/sec burst 8 6 ACCEPT icmp -- anywhere anywhere icmp echo-reply limit: avg 4/sec burst 8 7 DROP icmp -- anywhere anywhere

The only traffic you need is TCP and UDP if your not using rcon or running a web server then all you need is UDP since remote connections and game servers run there traffic on UDP so all other packet types can be blocked.

MorgenDavid · 09-14-2012 , 05:46 Re: Firewall Linux. (protect your CSS server)

Quote:

Originally Posted by C0nw0nk

I recommend dropping all icmp requests see the post in my signature for references of packet types to firewall.

4 DROP icmp -- anywhere anywhere icmp echo-request length 128:65535 5 ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 4/sec burst 8 6 ACCEPT icmp -- anywhere anywhere icmp echo-reply limit: avg 4/sec burst 8 7 DROP icmp -- anywhere anywhere

Huh ? Why ?
I want to be able to ping the server.

Quote:

Originally Posted by C0nw0nk

The only traffic you need is TCP and UDP if your not using rcon or running a web server then all you need is UDP since remote connections and game servers run there traffic on UDP so all other packet types can be blocked.

Maybe... but.. have you see that the default rules are set to ACCEPT ?
This is not a firewall type "DROP all, ACCEPT what i want" but "ACCEPT all, DROP what I don't want"

Some people don't have only CSS on the server.

++

Mavrick4283 · 09-14-2012 , 16:06 Re: Firewall Linux. (protect your CSS server)

Quote:

Originally Posted by MorgenDavid

Huh ? Why ?
I want to be able to ping the server.

Maybe... but.. have you see that the default rules are set to ACCEPT ?
This is not a firewall type "DROP all, ACCEPT what i want" but "ACCEPT all, DROP what I don't want"

Some people don't have only CSS on the server.

++

The rules he gave you do allow you to ping but drop ping is some one is "spamming"

If you have your firewall on policy accept then you might as well have it turned off.....

True but if you are going to be running more then game servers you rely should have a different server for the different programs. IE a web server for you db/website, and then you game server. This will allow you to harden you server better from attacks and will reduce the chance of one or the other becoming comprised and loosing every thing or having your data leaked.

(And yes i know servers are not cheep....)

Also not to bash you to hard but that looks like you just copied some rules in to a shell template, only saying that because you could not read the rule C0nw0nk posted....

MorgenDavid · 09-14-2012 , 16:31 Re: Firewall Linux. (protect your CSS server)

Quote:

Originally Posted by Mavrick4283

The rules he gave you do allow you to ping but drop ping is some one is "spamming"

Lol ;)
He don't give me anything, He has just quoted a part of the script.
He recommand me to drop all icmp packet..

Quote:

Originally Posted by Mavrick4283

If you have your firewall on policy accept then you might as well have it turned off.....

No, that's a reasoning like microsoft you have.
i suggest you to learn more about firewall. ;)

Quote:

Originally Posted by Mavrick4283

True but if you are going to be running more then game servers you rely should have a different server for the different programs. IE a web server for you db/website, and then you game server. This will allow you to harden you server better from attacks and will reduce the chance of one or the other becoming comprised and loosing every thing or having your data leaked.

(And yes i know servers are not cheep....)

unnecessary and futile/stupid debate about an evidence.

Quote:

Originally Posted by Mavrick4283

Also not to bash you to hard but that looks like you just copied some rules in to a shell template, only saying that because you could not read the rule C0nw0nk posted....

"Just copied somes rules" ???
If you do not understand, i'm sorry for you but i can't help you.

++

C0nw0nk · *Last edited by C0nw0nk; 09-14-2012 at 17:47.*

Quote:

Originally Posted by MorgenDavid

Huh ? Why ?
I want to be able to ping the server.

Maybe... but.. have you see that the default rules are set to ACCEPT ?
This is not a firewall type "DROP all, ACCEPT what i want" but "ACCEPT all, DROP what I don't want"

Some people don't have only CSS on the server.

++

Yes but if your running multiple game servers aslong as you do not specify ports or ip addresses in a blacklist then you are free to choose to block all TCP and accept UDP traffic.

The reason i bring it up is it may seem as a bit of a overkill to security but it prevents people flooding packet types into the server that you would never be using.

PS : If you need TCP for rcon or web access like killing floor servers require then block everyone else and allow access to a whitelist of admins ip's still more secure than providing the world with it.