Server Protection against DDOSERS and DOSERS.

XTreme killer

Active member
RIS Admin
Content Writer
Just put these IP-Tables in your server & your server will be 90% secure against ddos or dos attack.


Don't put the lines starting with #.

# Allow local network connections
iptables -A INPUT -i lo -j ACCEPT
This allows local network to access this network (like bots or Source TV).

# Create a packet inspection chain
iptables -N Check_Packet
This creates a New Chain to check the packets.

# If the number of packets does not exceed 100 per second on ports 27015 and 27016, then redirect to the packet inspection chain
iptables -A INPUT -p udp -m multiport --dports 27015,27016 -m hashlimit --hashlimit-upto 100/sec --hashlimit-burst 100 --hashlimit-mode srcip --hashlimit-name CSS -j Check_Packet
This is very important rule.. Suppose your sever has tick rate of 66, then you must have a value of hashlimit and hashburst to 100 (Preference : +20 - +30 from your server tick rate). Change this value according to your server tickrate.

# Check packages for length. Not less than 30 and not more than 900
iptables -A Check_Packet -p udp -m length --length :30 -j DROP
iptables -A Check_Packet -p udp -m length --length 900: -j DROP
This checks the packets length.
No need to change anything.

# Check the first 8 bits of the game packet
iptables -A Check_Packet -p udp -m u32 --u32 "28 & 0xFF = 0x00" -j ACCEPT
This checks if the packet is from game, then accept the packet.

# Check the first 8 bits of the request to the
iptables -A Check_Packet -p udp -m string --hex-string "| ffffffff |" --algo kmp -j ACCEPT
This checks if the packet is from game, then accept the packet.

# If none of the rules is included, then throw out the
iptables -A Check_Packet -p udp -m udp -j DROP
If none rules matches, then disallow the packet completely.

# If there are more than 100 packets per second, then drop them
iptables -A INPUT -p udp -m udp -m multiport --dports 27015:27016 -j DROP
If there are more than 100 packets per second, then drop them.

# Allow our favorite TCP connection
iptables -A INPUT -p tcp -m multiport --dports 22,27015,27016,80,443 -j ACCEPT
Port 22                                         - SSH port.
Port 27015, 27016                               - Game port (used for rcon).
Port 80                                        - HTTP port ( apache port)
Port 443                                       - HTTPS port (if your server uses https protocol).
If you want to remove any port, do according to your requirements.
This allows TCP ports to connect.

# Allow previously established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
This allows previously established connections to accept.

WeSMan ( original post : Here)
Xtreme_killer ( for improving some wrong codes)
Last edited:


Staff member
Yes. For single IP DoS protection, this is enough. Large scale DDoS attacks can be prevented only by the VPS provider.
AdBlock Detected

We get it, advertisements are annoying!

Sure, ad-blocking software does a great job at blocking ads, but it also blocks useful features of our website. For the best site experience please disable your AdBlocker.

I've Disabled AdBlock