DESCRIPTION :
Just put these IP-Tables in your server & your server will be 90% secure against ddos or dos attack.
IPTABLES :
Don't put the lines starting with #.
This allows local network to access this network (like bots or Source TV).
This creates a New Chain to check the packets.
This is very important rule.. Suppose your sever has tick rate of 66, then you must have a value of hashlimit and hashburst to 100 (Preference : +20 - +30 from your server tick rate). Change this value according to your server tickrate.
This checks the packets length.
No need to change anything.
This checks if the packet is from game, then accept the packet.
This checks if the packet is from game, then accept the packet.
If none rules matches, then disallow the packet completely.
If there are more than 100 packets per second, then drop them.
If you want to remove any port, do according to your requirements.
This allows TCP ports to connect.
This allows previously established connections to accept.
CREDITS :
WeSMan ( original post : Here)
Xtreme_killer ( for improving some wrong codes)
Just put these IP-Tables in your server & your server will be 90% secure against ddos or dos attack.
IPTABLES :
Don't put the lines starting with #.
Code:
# Allow local network connections
iptables -A INPUT -i lo -j ACCEPT
Code:
# Create a packet inspection chain
iptables -N Check_Packet
Code:
# If the number of packets does not exceed 100 per second on ports 27015 and 27016, then redirect to the packet inspection chain
iptables -A INPUT -p udp -m multiport --dports 27015,27016 -m hashlimit --hashlimit-upto 100/sec --hashlimit-burst 100 --hashlimit-mode srcip --hashlimit-name CSS -j Check_Packet
Code:
# Check packages for length. Not less than 30 and not more than 900
iptables -A Check_Packet -p udp -m length --length :30 -j DROP
iptables -A Check_Packet -p udp -m length --length 900: -j DROP
No need to change anything.
Code:
# Check the first 8 bits of the game packet
iptables -A Check_Packet -p udp -m u32 --u32 "28 & 0xFF = 0x00" -j ACCEPT
Code:
# Check the first 8 bits of the request to the
iptables -A Check_Packet -p udp -m string --hex-string "| ffffffff |" --algo kmp -j ACCEPT
Code:
# If none of the rules is included, then throw out the
iptables -A Check_Packet -p udp -m udp -j DROP
Code:
# If there are more than 100 packets per second, then drop them
iptables -A INPUT -p udp -m udp -m multiport --dports 27015:27016 -j DROP
Code:
# Allow our favorite TCP connection
iptables -A INPUT -p tcp -m multiport --dports 22,27015,27016,80,443 -j ACCEPT
Code:
Port 22 - SSH port.
Port 27015, 27016 - Game port (used for rcon).
Port 80 - HTTP port ( apache port)
Port 443 - HTTPS port (if your server uses https protocol).
This allows TCP ports to connect.
Code:
# Allow previously established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
CREDITS :
WeSMan ( original post : Here)
Xtreme_killer ( for improving some wrong codes)
Last edited: