Useful iptables commands to secure your server



> >

Created 3 years ago

Useful iptables commands to secure your server

A list of iptable commands you can use to secure your server

What is iptables?


Iptables is a linux-based packet filtering firewall which allows you to define incoming and outcoming packets. There is various commands/rules you can use to block players and bots from connecting to your server.


Top 5 Commands:



1. Block fake clients/fake bots from connecting to your server:


Commands:
iptables -A INPUT -m string --algo bm --string "connect" -m recent --set --name CONNECT

iptables -A INPUT -m recent --update --seconds 1 --hitcount 2 --name CONNECT -j REJECT --reject-with icmp-port-unreachable
Basically, what this does is check for a connection packet (sent by every "new" player when you join a server) and then wait to see if there is more than 1 per second. If there is, it will block any more connections from the same ip address (for a short period of time) and return a 'port unreachable' error code. This will cause q3fill to stop working.

Note: The cod1.1 server addon "codextended" prevents bots from connecting to your server by default. Visit cod1.eu for more information.

The "block fake clients" command has been taken from cheese's "how to block bots via iptables" tutorial from wy6.org, which has closed in january 2015. Cheese allowed us to post his tutorials on think-clan.com.


2. Fix the "q3msgboom" exploit:


Command:
iptables -A INPUT -p udp --dport 28960 -m length --length 600:0xFFFF -j DROP
This rule fixes the "q3msgboom" exploit by automatically dropping all packets bigger than 600 chars on port 28960 (change the port depending on your setup). By default, cod doesn't use any packets bigger than ~300-400 so it is safe to block anything bigger than 600.

What is the "q3msgboom" exploit? If a client sends any command bigger than 1022 chars, the server will crash. See full description here: http://aluigi.altervista.org/adv/q3msgboom-adv.txt


3. Block an IP-Address from connecting to your server:

iptables -A INPUT -s 192.0.2.0 -j DROP
This will block the ip address "192.0.2.0". The blocked user will neither be able to connect to your server, nor see it in the master list. And if he attempts to connect to it directly, he will simply receive a time out as if the server doesn't exist.


4. Block an entire IP-Range:


Command:
iptables -A INPUT -m iprange --src-range 192.0.2.0-192.0.2.255 -j DROP
This will block any ip-address that is within the range of 192.0.2.0 and 192.0.2.255.

If a banned user or flooder changes his ip very often, it is a good practice to ban his entire ip-range. An ip-range is the range assigned to an internet service provider.

To find out what range an ip-address belongs to, simply open the RIPE Whois Database - Enter the IP-Address and copy the "inetnum" range. If "RIPE" has no information about your ip, then try making a whois query at "ICANN" or "IANA".


5. Block an entire IP-Subnet:


Command:
iptables -A INPUT -s 192.0.2.0/16 -j DROP
Banning an ip-subnet is similar to banning a range. Some providers (especially if you're on a VPS server) may not allow banning ip ranges (for whatever reason).

You can then still ban ip ranges via subnets. The rule above will block 192.0.%.%



Things you should know:


1. Be cautious when applying a firewall rule. You can easily block yourself out of your own server by simply mistyping a rule.

2. Iptables rules will not be restored after a server restart so you either have to apply them again or simply make a file containing all the commands/rules and then execute it after every start. This way you can keep track of your rules and wont lose them. Don't forget to clear all your rules before executing the firewall file again.

See this for more information: http://www.adminsehow.com/2009/08/how-to-clear-all-iptables-rules/

3. If you have banned a person but even ip-range bans don't work and he manages to change his ip-address very often, then he is most likely using a VPN service.

The good news is that these people mostly use "free" vpn's and these are typically well known and detectable. In this case, it is best use some blocklist like "project honeypot" or "spamhaus.org" - These blacklists are easily integratable in iptables. See this post for more information: http://whatswhat.no/computer/linux/linux-server/549-linux-iptables-block-known-spammers-with-spamhaust-droplist

4: You can see a list of all applied iptables rules by typing the command iptables -L -n

5: If you are on a Windows machine, it is better to install a firewall like comodo and apply ip/ip-range bans there.

6: If your server is hosted by a gameserver company and you don't have direct access to the machine then you are out of luck - There is no way to apply firewall rules. The only way to block ip-ranges then is to use a bantool like "Rafi's 24/7 Online Bantool" which has such features.



That's it! If you have any questions feel free to ask them in the comment section.

Tutorial Details

Created: 3 years ago by alien

Views: 4995 Views

Keywords: Iptables, firewall, ban, block, flood, range,

Share this Knowledge with your friends!

Direct Link:

2 Comments

Getstatus flood protect
-A INPUT -p udp -m length --length 42 -m recent --set --name getstatus_cod
-A INPUT -p udp -m string --algo bm --string "getstatus" -m recent --update --seconds 1 --hitcount 20 ---name getstatus_cod -j DROP

Commented by RC  (Feb 11th, 2016 10:26 PM)

# 3 connections limit for one ip adress to port 28960 (Quake 3 engine fake players fix)
iptables -A INPUT -p udp --dport 28960 -m connlimit --connlimit-above 3 -j DROP
Commented by #coP  (Oct 10th, 2016 12:50 PM)

Please sign in or create an account to post a comment.