Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


ovh game server GoldSrc Counter-Strike 1.6 freezes with packets flood and CPU Spike 200 above
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

ovh game server GoldSrc Counter-Strike 1.6 freezes with packets flood and CPU Spike 200 above

amsaalamsaal Member
edited July 2020 in Help

since 1 month i am facing problem with my game server counter-strike 1.6 hosted on ovh game vps. when the flood happens , the port 27015 is not responding and when i look closely it says [REUNION]: Query flood blocking: 37022 pps

now in my iptables i can see that in one u32 rule it has like many packets dropped .

i want to limit that so when packets come it takes some time so it does not freeze ovh game and my port 27015 becomes not responding.

when ever flood comes cpu spikes . i asked ovh game in email about this situation but until now there is no fix.

so i ask if the rule that has packets dropped can be limited avg so it does not flood my port 27015.

The players who are inside does not have issues but the port 27015 does not show in favorites and server browser and in gametracker monitoring system.

see the image on below. and tell me how can i limit avg per PPS

image deleted!!

Thanks.

Comments

  • SplitIceSplitIce Member, Host Rep
    edited July 2020

    Hi,

    Ah an A2S flood, you pissed off someone smarter than average.

    We can cache A2S queries for mitigation purposes (Standard & Premium lines only). A ticket is required to activate. A2S caching is normally a paid feature. Happy to help out someone receiving a flood however (for the length of the flood).

    You can't rate limit the queries without being hidden from global server lists unfortunately. As you will block those querying normally too (assuming the attacker is spoofing, as they likely will be).

    Thanked by 3amsaal Edmond pike
  • amsaalamsaal Member

    will the ping be same for all players? if i get this?

  • SplitIceSplitIce Member, Host Rep

    Hi,

    During the time A2S cache is active for mitigation purposes your ping will display lower. However that will end at the time the attack ends.

    A2S caching is a paid feature sponsored by a couple customers of ours. We can offer it to you only for mitigation purposes (not latency optimization / listing optimization) for free. Offering it to you for ping reduction would be unfair to those who fund it (development & maintenance).

    As for general latency that is a factor of distance. Our locations are public (https://www.x4b.net/datacenters & https://www.x4b.net/protection/prices) the looking glass is also available for route checks.

    Thanked by 1amsaal
  • amsaalamsaal Member

    thanks how can i contact you and go ahead for this ?

  • SplitIceSplitIce Member, Host Rep
    edited July 2020

    @amsaal Once you have your service setup (ordered & configured) and ready for A2S Cache activation contact me via support ticket to get A2S Cache enabled on your service.

    Please do mention this thread.

    Thanked by 1amsaal
  • SplitIceSplitIce Member, Host Rep
    edited July 2020

    In light of @amsaal's ticket let me clarify in case there was any doubt.

    This is not an offer for a free mitigation service.

    It is an offer for free access to a paid addon (A2S Cache) for a very specific purpose (and in passive mode, not active). It requires a service on the Standard or Premium lines. We don't currently have the modules & service deployed on the Budget line servers so this offer does not extend there.

    Thanked by 3amsaal Edmond pike
  • amsaalamsaal Member

    the standard 20 USD is this what i need to activate this feature?

    Thanks.

  • amsaalamsaal Member

    clean traffic 50 GB would be okay for 20 USD?

  • stefemanstefeman Member
    edited July 2020

    Or just post tcpdump here and we can see whats in the attack packets and help you block it lol.

    Check this for specific info how to capture the attack.

    https://www.lowendtalk.com/discussion/comment/3107906/#Comment_3107906

    Thanked by 1amsaal
  • amsaalamsaal Member
    edited July 2020

    deleted

  • stefemanstefeman Member
    edited July 2020

    @amsaal said:

    @stefeman said:
    Or just post tcpdump here and we can see whats in the attack packets and help you block it lol.

    Check this for specific info how to capture the attack.

    https://www.lowendtalk.com/discussion/comment/3107906/#Comment_3107906

    https://github.com/dreamstalker/rehlds/files/4768974/flood_on_27015.zip

    while under attack.

    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff54|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff54|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff67|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff67|' -j DROP
    

    You can edit "--limit-burst" value from 1 to higher if people are still unable to join but no more than 10 suggested. In fact I would use default values "1" for all since its usually just enough for people to still be able to join or use the serverquery when under attack.

    Alternatively you can just do this if the CPU still goes into 100% with the above rules:

    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff54|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff67|' -j DROP
    

    Also, make sure you remove existing rules against this from input chain or change the order so these get executed first, otherwise it will just execute the old rules first against the flood. This would make the CPU remain at 100%.

    Thanked by 1amsaal
  • stefemanstefeman Member
    edited July 2020

    If you have zero idea what to put in, try these rules as a base. This assumes you have SSH port on 22 and that you only run srcds on port 27015:27030. Do not apply these without editing unless your SSH is on port 22, otherwise you lose access to the SSH after applying.

    You can save this into ip.sh and run the ./ip.sh

    # Flush rules
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -t raw -F PREROUTING
    iptables -t raw -F OUTPUT
    
    # List policies first
    iptables -P INPUT DROP; iptables -P FORWARD ACCEPT; iptables -P OUTPUT ACCEPT;
    
    # Disable connection tracking on game server ports
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -j NOTRACK
    iptables -A OUTPUT -t raw -p udp --sport 27015:27030 -j NOTRACK
    
    # Allow TCP inbound
    iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,8080 -j ACCEPT
    
    # Drop invalid UDP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m length --length 0:32 -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m length --length 2521:65535 -j DROP
    
    # Drop A2S attack
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|545333494e495431|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|5045414345434f525053|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|7065616365636f727073|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|0cc47a82476c58ac|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|7a7a7a7a7a|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff49|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff54|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff54|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff55|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff55|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff56|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff56|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff57|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff57|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff67|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff67|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff73|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a4a4a4a4a|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a4a4a4a4a|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|fefea100c7|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a28487066|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|52783c8292|' -j DROP
    
    
    # Allow incoming packets related to outgoing ones.
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    # Allow UDP inbound
    iptables -A INPUT -p udp --dport 27015:27030 -j ACCEPT
    
    # Allow ICMP
    iptables -A INPUT -p icmp -j ACCEPT
    
    # Allow all localhost
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    service netfilter-persistent save
    service netfilter-persistent start
    
    Thanked by 2amsaal camjac251
  • SplitIceSplitIce Member, Host Rep

    Just a fyi

    1. Use xt_bpf not xt_string. You will end up blocking random game packets that contain that signature otherwise.
    2. You won't be on server lists during the attack with a rule like that. Query packets will be dropped with no distinction between clean and attack.
    Thanked by 3stefeman amsaal pike
  • stefemanstefeman Member
    edited July 2020

    @SplitIce said:
    Just a fyi

    1. Use xt_bpf not xt_string. You will end up blocking random game packets that contain that signature otherwise.
    2. You won't be on server lists during the attack with a rule like that. Query packets will be dropped with no distinction between clean and attack.

    Sorry for taking your potential customer lol.

    Anyway, the above iptables only limit the incoming queries to x amount and then drop the rest.

    Thanked by 1amsaal
  • amsaalamsaal Member

    @SplitIce said:
    Just a fyi

    1. Use xt_bpf not xt_string. You will end up blocking random game packets that contain that signature otherwise.
    2. You won't be on server lists during the attack with a rule like that. Query packets will be dropped with no distinction between clean and attack.

    how do i load this module in openvz?

  • SplitIceSplitIce Member, Host Rep
    edited July 2020

    @stefeman He isnt a customer. Nor do I think he will be. Your solution may be the best option for him (budget and know-how).

    @amsaal You can't load modules OpenVZ, you provider might but you are really barking up the wrong tree trying to do attack mitigation on OpenVZ (or any paravirtualization). At-least get a KVM.

    P.S I'm suprised OpenVZ is still a thing in 2020

    Thanked by 1amsaal
  • If the host is 100up, hes fucked anyway no matter what he does. They give 100Mbps ports by default and are the only OpenVZ host that offer OVH Game that I know of.

    Thanked by 2SplitIce amsaal
  • amsaalamsaal Member

    @stefeman said:
    If you have zero idea what to put in, try these rules as a base. This assumes you have SSH port on 22 and that you only run srcds on port 27015:27030. Do not apply these without editing unless your SSH is on port 22, otherwise you lose access to the SSH after applying.

    You can save this into ip.sh and run the ./ip.sh

    # Flush rules
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -t raw -F PREROUTING
    iptables -t raw -F OUTPUT
    
    # List policies first
    iptables -P INPUT DROP; iptables -P FORWARD ACCEPT; iptables -P OUTPUT ACCEPT;
    
    # Disable connection tracking on game server ports
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -j NOTRACK
    iptables -A OUTPUT -t raw -p udp --sport 27015:27030 -j NOTRACK
    
    # Allow TCP inbound
    iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,8080 -j ACCEPT
    
    # Drop invalid UDP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m length --length 0:32 -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m length --length 2521:65535 -j DROP
    
    # Drop A2S attack
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|545333494e495431|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|5045414345434f525053|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|7065616365636f727073|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|0cc47a82476c58ac|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|7a7a7a7a7a|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff49|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff54|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff54|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff55|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff55|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff56|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff56|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff57|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff57|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff67|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff67|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff73|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a4a4a4a4a|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a4a4a4a4a|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|fefea100c7|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a28487066|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|52783c8292|' -j DROP
    
    
    # Allow incoming packets related to outgoing ones.
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    # Allow UDP inbound
    iptables -A INPUT -p udp --dport 27015:27030 -j ACCEPT
    
    # Allow ICMP
    iptables -A INPUT -p icmp -j ACCEPT
    
    # Allow all localhost
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    service netfilter-persistent save
    service netfilter-persistent start
    

    bad solution !!

  • amsaalamsaal Member

    @FAT32 close this thread and lock i fix it myself

  • SCAM_DONT_BUYSCAM_DONT_BUY Member
    edited July 2020

    I think the topic can be closed at this point.

    Thanked by 1amsaal
  • ClouviderClouvider Member, Patron Provider

    @amsaal said:

    @stefeman said:
    If you have zero idea what to put in, try these rules as a base. This assumes you have SSH port on 22 and that you only run srcds on port 27015:27030. Do not apply these without editing unless your SSH is on port 22, otherwise you lose access to the SSH after applying.

    You can save this into ip.sh and run the ./ip.sh

    # Flush rules
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -t raw -F PREROUTING
    iptables -t raw -F OUTPUT
    
    # List policies first
    iptables -P INPUT DROP; iptables -P FORWARD ACCEPT; iptables -P OUTPUT ACCEPT;
    
    # Disable connection tracking on game server ports
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -j NOTRACK
    iptables -A OUTPUT -t raw -p udp --sport 27015:27030 -j NOTRACK
    
    # Allow TCP inbound
    iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,8080 -j ACCEPT
    
    # Drop invalid UDP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m length --length 0:32 -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m length --length 2521:65535 -j DROP
    
    # Drop A2S attack
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|545333494e495431|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|5045414345434f525053|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|7065616365636f727073|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|0cc47a82476c58ac|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|7a7a7a7a7a|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff49|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff54|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff54|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff55|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff55|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff56|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff56|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff57|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff57|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff67|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff67|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff73|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a4a4a4a4a|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a4a4a4a4a|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|fefea100c7|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a28487066|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|52783c8292|' -j DROP
    
    
    # Allow incoming packets related to outgoing ones.
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    # Allow UDP inbound
    iptables -A INPUT -p udp --dport 27015:27030 -j ACCEPT
    
    # Allow ICMP
    iptables -A INPUT -p icmp -j ACCEPT
    
    # Allow all localhost
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    service netfilter-persistent save
    service netfilter-persistent start
    

    bad solution !!

    So much appreciation for the community that helped you, you know, for free.

  • amsaalamsaal Member

    @Clouvider said:

    @amsaal said:

    @stefeman said:
    If you have zero idea what to put in, try these rules as a base. This assumes you have SSH port on 22 and that you only run srcds on port 27015:27030. Do not apply these without editing unless your SSH is on port 22, otherwise you lose access to the SSH after applying.

    You can save this into ip.sh and run the ./ip.sh

    # Flush rules
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -t raw -F PREROUTING
    iptables -t raw -F OUTPUT
    
    # List policies first
    iptables -P INPUT DROP; iptables -P FORWARD ACCEPT; iptables -P OUTPUT ACCEPT;
    
    # Disable connection tracking on game server ports
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -j NOTRACK
    iptables -A OUTPUT -t raw -p udp --sport 27015:27030 -j NOTRACK
    
    # Allow TCP inbound
    iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,8080 -j ACCEPT
    
    # Drop invalid UDP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m length --length 0:32 -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m length --length 2521:65535 -j DROP
    
    # Drop A2S attack
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|545333494e495431|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|5045414345434f525053|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|7065616365636f727073|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|0cc47a82476c58ac|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|7a7a7a7a7a|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff49|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff54|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff54|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff55|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff55|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff56|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff56|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff57|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff57|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff67|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff67|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff73|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a4a4a4a4a|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a4a4a4a4a|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|fefea100c7|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a28487066|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|52783c8292|' -j DROP
    
    
    # Allow incoming packets related to outgoing ones.
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    # Allow UDP inbound
    iptables -A INPUT -p udp --dport 27015:27030 -j ACCEPT
    
    # Allow ICMP
    iptables -A INPUT -p icmp -j ACCEPT
    
    # Allow all localhost
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    service netfilter-persistent save
    service netfilter-persistent start
    

    bad solution !!

    So much appreciation for the community that helped you, you know, for free.

    you agree to loose players while you do this?

    i agree on support but i said is bad solution .... it does not works it blocked legitimate traffic players cannot even see the server lol

  • amsaalamsaal Member

    @SCAM_DONT_BUY said:
    I think the topic can be closed at this point.

    sure :)

  • stefemanstefeman Member
    edited July 2020

    @amsaal said:

    @Clouvider said:

    @amsaal said:

    @stefeman said:
    If you have zero idea what to put in, try these rules as a base. This assumes you have SSH port on 22 and that you only run srcds on port 27015:27030. Do not apply these without editing unless your SSH is on port 22, otherwise you lose access to the SSH after applying.

    You can save this into ip.sh and run the ./ip.sh

    # Flush rules
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -t raw -F PREROUTING
    iptables -t raw -F OUTPUT
    
    # List policies first
    iptables -P INPUT DROP; iptables -P FORWARD ACCEPT; iptables -P OUTPUT ACCEPT;
    
    # Disable connection tracking on game server ports
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -j NOTRACK
    iptables -A OUTPUT -t raw -p udp --sport 27015:27030 -j NOTRACK
    
    # Allow TCP inbound
    iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,8080 -j ACCEPT
    
    # Drop invalid UDP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m length --length 0:32 -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m length --length 2521:65535 -j DROP
    
    # Drop A2S attack
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|545333494e495431|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|5045414345434f525053|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|7065616365636f727073|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|0cc47a82476c58ac|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|7a7a7a7a7a|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff49|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff54|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff54|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff55|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff55|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff56|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff56|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff57|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff57|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff67|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff67|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff73|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a4a4a4a4a|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a4a4a4a4a|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|fefea100c7|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a28487066|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|52783c8292|' -j DROP
    
    
    # Allow incoming packets related to outgoing ones.
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    # Allow UDP inbound
    iptables -A INPUT -p udp --dport 27015:27030 -j ACCEPT
    
    # Allow ICMP
    iptables -A INPUT -p icmp -j ACCEPT
    
    # Allow all localhost
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    service netfilter-persistent save
    service netfilter-persistent start
    

    bad solution !!

    So much appreciation for the community that helped you, you know, for free.

    you agree to loose players while you do this?

    i agree on support but i said is bad solution .... it does not works it blocked legitimate traffic players cannot even see the server lol

    Its just an example. you would need to find out required ports and edit it anyway lol. You could remove all A2S rules except ffffffff54 and fffffff67 and change default input policy to accept for example.

    Thanked by 1amsaal
  • amsaalamsaal Member
    edited July 2020

    @stefeman said:

    @amsaal said:

    @Clouvider said:

    @amsaal said:

    @stefeman said:
    If you have zero idea what to put in, try these rules as a base. This assumes you have SSH port on 22 and that you only run srcds on port 27015:27030. Do not apply these without editing unless your SSH is on port 22, otherwise you lose access to the SSH after applying.

    You can save this into ip.sh and run the ./ip.sh

    # Flush rules
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -t raw -F PREROUTING
    iptables -t raw -F OUTPUT
    
    # List policies first
    iptables -P INPUT DROP; iptables -P FORWARD ACCEPT; iptables -P OUTPUT ACCEPT;
    
    # Disable connection tracking on game server ports
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -j NOTRACK
    iptables -A OUTPUT -t raw -p udp --sport 27015:27030 -j NOTRACK
    
    # Allow TCP inbound
    iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,8080 -j ACCEPT
    
    # Drop invalid UDP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m length --length 0:32 -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m length --length 2521:65535 -j DROP
    
    # Drop A2S attack
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|545333494e495431|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|5045414345434f525053|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|7065616365636f727073|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|0cc47a82476c58ac|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|7a7a7a7a7a|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff49|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff54|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff54|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff55|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff55|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff56|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff56|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff57|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff57|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff67|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff67|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff73|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a4a4a4a4a|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a4a4a4a4a|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|fefea100c7|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a28487066|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|52783c8292|' -j DROP
    
    
    # Allow incoming packets related to outgoing ones.
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    # Allow UDP inbound
    iptables -A INPUT -p udp --dport 27015:27030 -j ACCEPT
    
    # Allow ICMP
    iptables -A INPUT -p icmp -j ACCEPT
    
    # Allow all localhost
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    service netfilter-persistent save
    service netfilter-persistent start
    

    bad solution !!

    So much appreciation for the community that helped you, you know, for free.

    you agree to loose players while you do this?

    i agree on support but i said is bad solution .... it does not works it blocked legitimate traffic players cannot even see the server lol

    Its just an example. you would need to find out required ports and edit it anyway lol.

    port is 27015 and your limiting the query which means players cannot see server so they wont join meaning what you send for me does not work. its a BAD SOLUTION !!

    but i figure it out taking capture and blocking i know very well too. it was complex attacks which i mitigated already and my server is up and running .

    Thanks for your support appreciated.

    everyone who advice i appreciate it

  • @amsaal said:

    @stefeman said:

    @amsaal said:

    @Clouvider said:

    @amsaal said:

    @stefeman said:
    If you have zero idea what to put in, try these rules as a base. This assumes you have SSH port on 22 and that you only run srcds on port 27015:27030. Do not apply these without editing unless your SSH is on port 22, otherwise you lose access to the SSH after applying.

    You can save this into ip.sh and run the ./ip.sh

    # Flush rules
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -t raw -F PREROUTING
    iptables -t raw -F OUTPUT
    
    # List policies first
    iptables -P INPUT DROP; iptables -P FORWARD ACCEPT; iptables -P OUTPUT ACCEPT;
    
    # Disable connection tracking on game server ports
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -j NOTRACK
    iptables -A OUTPUT -t raw -p udp --sport 27015:27030 -j NOTRACK
    
    # Allow TCP inbound
    iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,8080 -j ACCEPT
    
    # Drop invalid UDP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m length --length 0:32 -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m length --length 2521:65535 -j DROP
    
    # Drop A2S attack
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|545333494e495431|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|5045414345434f525053|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|7065616365636f727073|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|0cc47a82476c58ac|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|7a7a7a7a7a|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff49|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff54|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff54|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff55|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff55|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff56|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff56|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff57|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff57|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff67|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff67|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff73|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a4a4a4a4a|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a4a4a4a4a|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|fefea100c7|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a28487066|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|52783c8292|' -j DROP
    
    
    # Allow incoming packets related to outgoing ones.
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    # Allow UDP inbound
    iptables -A INPUT -p udp --dport 27015:27030 -j ACCEPT
    
    # Allow ICMP
    iptables -A INPUT -p icmp -j ACCEPT
    
    # Allow all localhost
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    service netfilter-persistent save
    service netfilter-persistent start
    

    bad solution !!

    So much appreciation for the community that helped you, you know, for free.

    you agree to loose players while you do this?

    i agree on support but i said is bad solution .... it does not works it blocked legitimate traffic players cannot even see the server lol

    Its just an example. you would need to find out required ports and edit it anyway lol.

    port is 27015 and your limiting the query which means players cannot see server so they wont join meaning what you send for me does not work. its a BAD SOLUTION !!

    but i figure it out taking capture and blocking i know very well too. it was complex attacks which i mitigated already and my server is up and running .

    Thanks for your support appreciated.

    everyone who advice i appreciate it

    You can always raise the burst limits, but whatever. Its a perfectly working solution.

    Glad to hear that you solved it yourself though. Wouldn't hurt to be more humble if you ask for advice here. People would be more inclined to help you next time.

  • amsaalamsaal Member

    @stefeman said:

    @amsaal said:

    @stefeman said:

    @amsaal said:

    @Clouvider said:

    @amsaal said:

    @stefeman said:
    If you have zero idea what to put in, try these rules as a base. This assumes you have SSH port on 22 and that you only run srcds on port 27015:27030. Do not apply these without editing unless your SSH is on port 22, otherwise you lose access to the SSH after applying.

    You can save this into ip.sh and run the ./ip.sh

    # Flush rules
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -t raw -F PREROUTING
    iptables -t raw -F OUTPUT
    
    # List policies first
    iptables -P INPUT DROP; iptables -P FORWARD ACCEPT; iptables -P OUTPUT ACCEPT;
    
    # Disable connection tracking on game server ports
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -j NOTRACK
    iptables -A OUTPUT -t raw -p udp --sport 27015:27030 -j NOTRACK
    
    # Allow TCP inbound
    iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,8080 -j ACCEPT
    
    # Drop invalid UDP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m length --length 0:32 -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m length --length 2521:65535 -j DROP
    
    # Drop A2S attack
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|545333494e495431|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|5045414345434f525053|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|7065616365636f727073|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|0cc47a82476c58ac|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|7a7a7a7a7a|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff49|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff54|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff54|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff55|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff55|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff56|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff56|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff57|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff57|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff67|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff67|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|ffffffff73|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a4a4a4a4a|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a4a4a4a4a|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|fefea100c7|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|4a28487066|' -j DROP
    iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|52783c8292|' -j DROP
    
    
    # Allow incoming packets related to outgoing ones.
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    # Allow UDP inbound
    iptables -A INPUT -p udp --dport 27015:27030 -j ACCEPT
    
    # Allow ICMP
    iptables -A INPUT -p icmp -j ACCEPT
    
    # Allow all localhost
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    service netfilter-persistent save
    service netfilter-persistent start
    

    bad solution !!

    So much appreciation for the community that helped you, you know, for free.

    you agree to loose players while you do this?

    i agree on support but i said is bad solution .... it does not works it blocked legitimate traffic players cannot even see the server lol

    Its just an example. you would need to find out required ports and edit it anyway lol.

    port is 27015 and your limiting the query which means players cannot see server so they wont join meaning what you send for me does not work. its a BAD SOLUTION !!

    but i figure it out taking capture and blocking i know very well too. it was complex attacks which i mitigated already and my server is up and running .

    Thanks for your support appreciated.

    everyone who advice i appreciate it

    You can always raise the burst limits, but whatever. Its a perfectly working solution.

    Glad to hear that you solved it yourself though. Wouldn't hurt to be more humble if you ask for advice here. People would be more inclined to help you next time.

    yes sure. i was frustrated by this attacks and did not wanted to hurt anyone by my comments

    Thanks for your advice <3

  • amasal,
    i have a vps from ovh with 2 G/s and i recive ddos with 86 mb/s and i need your help
    tell me how did you fix you cs 1.6 server
    thanks in advance

  • desperanddesperand Member
    edited January 2021

    @ady_2324 said: i have a vps from > ovh with 2 G/s and i recive ddos with 86 mb/s and i need your help
    tell me how did you fix you cs 1.6 server
    thanks in advance

    What VPS do you have?
    What location? (rbx, bhs, where? (maybe there are better alternatives than ovh in such locations)
    Where you purchased the VPS?
    Is the VPS has Antiddos Game or not?
    Who is your key audience?
    Is the game server new or old?
    If you will change your IP, will you lose all of your players?
    What operating system do you use?
    How did you identified that you consume up to 86mbit/s under attack?
    Have you tried to make a tcpdump of the attack and report about the attack to the OVH?
    Is the DDoS attack comes from one IP, or from the botnet (many IPs)?
    If the attack comes from one IP, have you tried to block just this IP in the OVH firewall?

    There are a lot of questions, DDoS protection, not a simple thing that everyone can organize for themselves, that's why there is a market that offers DDoS protection solutions.

    Thanked by 1kalimov622
  • @ady_2324 said:
    amasal,
    i have a vps from ovh with 2 G/s and i recive ddos with 86 mb/s and i need your help
    tell me how did you fix you cs 1.6 server
    thanks in advance

    ask your provider for fix. better instead you apply in on vps and make laggy

Sign In or Register to comment.